enhancement: do not enable all roles by default.

from now on, not all unified roles are enabled by default, instead the available roles are hand-picked in the default setup. For advanced use-cases, the administrator is capable to enable the desired set of available roles. Picking roles is not easy since the uid is NOT humanly readable, therefore a cli is contained which lists the available, disabled and enabled roles.
2026-04-26 17:55:24 +02:00 · 2024-08-04 13:04:52 +02:00
parent a4c2aff641
commit 56537e94fc
143 changed files with 15802 additions and 785 deletions
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -9,6 +9,13 @@ import (
 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 	"github.com/owncloud/ocis/v2/ocis-pkg/structs"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/config"
+	"github.com/owncloud/ocis/v2/services/graph/pkg/unifiedrole"
+)
+
+var (
+	// _disabledByDefaultUnifiedRoleRoleIDs contains all roles that are not enabled by default,
+	// but can be enabled by the user.
+	_disabledByDefaultUnifiedRoleRoleIDs = []string{unifiedrole.UnifiedRoleSecureViewerID}
 )

 // FullDefaultConfig returns a fully initialized default configuration
@@ -164,6 +171,16 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Identity.LDAP.GroupCreateBaseDN == "" {
 		cfg.Identity.LDAP.GroupCreateBaseDN = cfg.Identity.LDAP.GroupBaseDN
 	}
+
+	// set default roles, if no roles are defined, we need to take care and provide all the default roles
+	if len(cfg.UnifiedRoles.AvailableRoles) == 0 {
+		for _, definition := range unifiedrole.GetBuiltinRoleDefinitionList(
+			// filter out the roles that are disabled by default
+			unifiedrole.RoleFilterInvert(unifiedrole.RoleFilterIDs(_disabledByDefaultUnifiedRoleRoleIDs...)),
+		) {
+			cfg.UnifiedRoles.AvailableRoles = append(cfg.UnifiedRoles.AvailableRoles, definition.GetId())
+		}
+	}
 }

 // Sanitize sanitized the configuration