Get rid of hardcoded admin user uuid

The UUID is generated by `ocs init` now and stored in the config file.
To avoid that every ocis install uses the same UUID

Closes: owncloud#3524

.drone.star

@@ -1690,7 +1690,7 @@ def ocisServerWithAccounts(storage, accounts_hash_difficulty = 4, volumes = [],
             "name": "wait-for-ocis-server",
             "image": OC_CI_ALPINE,
             "commands": [
-                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/ddc2004c-0977-11eb-9d3f-a793888cd0f8'",
+                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/admin'",
             ],
             "depends_on": depends_on,
         },
@@ -1719,7 +1719,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
             "name": "wait-for-ocis-server",
             "image": OC_CI_ALPINE,
             "commands": [
-                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/ddc2004c-0977-11eb-9d3f-a793888cd0f8'",
+                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/admin'",
             ],
             "depends_on": depends_on,
         }

changelog/unreleased/change-ocis-init.md

@@ -1,10 +1,12 @@
 Change: Introduce `ocis init` and remove all default secrets
 
-We've removed all default secrets. This means you can't start oCIS any longer
-without setting these via environment variable or configuration file.
+We've removed all default secrets and the hardcoded UUID of the user `adamin.
+This means you can't start oCIS any longer without setting these via
+environment variable or configuration file.
 
 In order to make this easy for you, we introduced a new command: `ocis init`.
 You can run this command before starting oCIS with `ocis server` and it will
 bootstrap you a configuration file for a secure oCIS instance.
 
 https://github.com/owncloud/ocis/pull/3551
+https://github.com/owncloud/ocis/issues/3524

extensions/idm/ldif/base.ldif.tmpl

@@ -29,7 +29,7 @@ cn: admin
 displayName: Admin
 description: An admin for this oCIS instance.
 mail: [email protected]
-ownCloudUUID: ddc2004c-0977-11eb-9d3f-a793888cd0f8
+ownCloudUUID: {{ .ID }}
 {{ else -}}
 dn: uid={{ .Name }},ou=sysusers,o=libregraph-idm
 objectClass: account

extensions/idm/pkg/command/server.go

@@ -90,12 +90,14 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro
 	type svcUser struct {
 		Name     string
 		Password string
+		ID       string
 	}
 
 	serviceUsers := []svcUser{
 		{
 			Name:     "admin",
 			Password: cfg.ServiceUserPasswords.OcisAdmin,
+			ID:       cfg.Commons.AdminUserID,
 		},
 		{
 			Name:     "libregraph",

extensions/idm/pkg/config/parser/parse.go

@@ -33,6 +33,10 @@ func ParseConfig(cfg *config.Config) error {
 }
 
 func Validate(cfg *config.Config) error {
+	if cfg.AdminUserID == "" {
+		return shared.MissingAdminUserID(cfg.Service.Name)
+	}
+
 	if cfg.ServiceUserPasswords.Idm == "" {
 		return shared.MissingServiceUserPassword(cfg.Service.Name, "IDM")
 	}
@@ -44,6 +48,7 @@ func Validate(cfg *config.Config) error {
 	if cfg.ServiceUserPasswords.Idp == "" {
 		return shared.MissingServiceUserPassword(cfg.Service.Name, "IDP")
 	}
+
 	if cfg.ServiceUserPasswords.Reva == "" {
 		return shared.MissingServiceUserPassword(cfg.Service.Name, "REVA")
 	}

extensions/settings/pkg/config/parser/parse.go

@@ -41,5 +41,9 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
 	}
 
+	if cfg.AdminUserID == "" {
+		return shared.MissingAdminUserID(cfg.Service.Name)
+	}
+
 	return nil
 }

extensions/settings/pkg/service/v0/service.go

@@ -126,7 +126,7 @@ func (g Service) RegisterDefaultRoles() {
 		}
 	}
 
-	for _, req := range defaultRoleAssignments() {
+	for _, req := range g.defaultRoleAssignments() {
 		if _, err := g.manager.WriteRoleAssignment(req.AccountUuid, req.RoleId); err != nil {
 			g.logger.Error().Err(err).Msg("failed to register role assignment")
 		}

extensions/settings/pkg/service/v0/settings.go

@@ -532,14 +532,14 @@ func generatePermissionRequests() []*settingssvc.AddSettingToBundleRequest {
 	}
 }
 
-func defaultRoleAssignments() []*settingsmsg.UserRoleAssignment {
+func (g Service) defaultRoleAssignments() []*settingsmsg.UserRoleAssignment {
 	return []*settingsmsg.UserRoleAssignment{
 		// default admin users
 		{
 			AccountUuid: "058bff95-6708-4fe5-91e4-9ea3d377588b", // demo user "moss"
 			RoleId:      BundleUUIDRoleAdmin,
 		}, {
-			AccountUuid: "ddc2004c-0977-11eb-9d3f-a793888cd0f8",
+			AccountUuid: g.config.Commons.AdminUserID,
 			RoleId:      BundleUUIDRoleAdmin,
 		},
 		// default users with role "user"

extensions/settings/pkg/store/defaults/defaults.go

@@ -1,6 +1,7 @@
 package defaults
 
 import (
+	"github.com/owncloud/ocis/extensions/settings/pkg/config"
 	settingsmsg "github.com/owncloud/ocis/protogen/gen/ocis/messages/settings/v0"
 )
 
@@ -496,14 +497,14 @@ var languageSetting = settingsmsg.Setting_SingleChoiceValue{
 }
 
 // DefaultRoleAssignments returns (as one might guess) the default role assignments
-func DefaultRoleAssignments() []*settingsmsg.UserRoleAssignment {
+func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignment {
 	return []*settingsmsg.UserRoleAssignment{
 		// default admin users
 		{
 			AccountUuid: "058bff95-6708-4fe5-91e4-9ea3d377588b", // demo user "moss"
 			RoleId:      BundleUUIDRoleAdmin,
 		}, {
-			AccountUuid: "ddc2004c-0977-11eb-9d3f-a793888cd0f8",
+			AccountUuid: cfg.Commons.AdminUserID,
 			RoleId:      BundleUUIDRoleAdmin,
 		},
 		// default users with role "user"

extensions/settings/pkg/store/metadata/assignments.go

@@ -14,7 +14,7 @@ import (
 // ListRoleAssignments loads and returns all role assignments matching the given assignment identifier.
 func (s *Store) ListRoleAssignments(accountUUID string) ([]*settingsmsg.UserRoleAssignment, error) {
 	if s.mdc == nil {
-		return defaultRoleAssignments(accountUUID), nil
+		return s.defaultRoleAssignments(accountUUID), nil
 	}
 	s.Init()
 	ctx := context.TODO()
@@ -92,9 +92,9 @@ func (s *Store) RemoveRoleAssignment(assignmentID string) error {
 	return fmt.Errorf("assignmentID '%s' not found", assignmentID)
 }
 
-func defaultRoleAssignments(accID string) []*settingsmsg.UserRoleAssignment {
+func (s *Store) defaultRoleAssignments(accID string) []*settingsmsg.UserRoleAssignment {
 	var assmnts []*settingsmsg.UserRoleAssignment
-	for _, r := range defaults.DefaultRoleAssignments() {
+	for _, r := range defaults.DefaultRoleAssignments(s.cfg) {
 		if r.AccountUuid == accID {
 			assmnts = append(assmnts, r)
 		}

extensions/settings/pkg/store/metadata/assignments_test.go

@@ -5,8 +5,10 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/gofrs/uuid"
 	"github.com/owncloud/ocis/extensions/settings/pkg/config/defaults"
 	olog "github.com/owncloud/ocis/ocis-pkg/log"
+	"github.com/owncloud/ocis/ocis-pkg/shared"
 	settingsmsg "github.com/owncloud/ocis/protogen/gen/ocis/messages/settings/v0"
 	"github.com/stretchr/testify/require"
 )
@@ -18,7 +20,6 @@ var (
 	s = &Store{
 		Logger: logger,
 		l:      &sync.Mutex{},
-		cfg:    defaults.DefaultConfig(),
 	}
 
 	logger = olog.NewLogger(
@@ -89,6 +90,11 @@ var (
 )
 
 func init() {
+	s.cfg = defaults.DefaultConfig()
+	s.cfg.Commons = &shared.Commons{
+		AdminUserID: uuid.Must(uuid.NewV4()).String(),
+	}
+
 	_ = NewMDC(s)
 	setupRoles()
 }

extensions/settings/pkg/store/metadata/store.go

@@ -123,7 +123,7 @@ func (s *Store) initMetadataClient(mdc MetadataClient) error {
 		}
 	}
 
-	for _, p := range defaults.DefaultRoleAssignments() {
+	for _, p := range defaults.DefaultRoleAssignments(s.cfg) {
 		accountUUID := p.AccountUuid
 		roleID := p.RoleId
 		err = mdc.MakeDirIfNotExist(ctx, accountPath(accountUUID))

ocis-pkg/config/config.go

@@ -69,6 +69,7 @@ type Config struct {
 	MachineAuthAPIKey string               `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
 	TransferSecret    string               `yaml:"transfer_secret" env:"STORAGE_TRANSFER_SECRET"`
 	MetadataUserID    string               `yaml:"metadata_user_id" env:"METADATA_USER_ID"`
+	AdminUserID       string               `yaml:"admin_user_id" env:"ADMIN_USER_ID"`
 	Runtime           Runtime              `yaml:"runtime"`
 
 	Audit             *audit.Config           `yaml:"audit"`

ocis-pkg/config/parser/parse.go

@@ -98,6 +98,11 @@ func EnsureCommons(cfg *config.Config) {
 	if cfg.MetadataUserID != "" {
 		cfg.Commons.MetadataUserID = cfg.MetadataUserID
 	}
+
+	// copy admin user id to the commons part if set
+	if cfg.AdminUserID != "" {
+		cfg.Commons.AdminUserID = cfg.AdminUserID
+	}
 }
 
 func Validate(cfg *config.Config) error {

ocis-pkg/shared/errors.go

@@ -53,3 +53,11 @@ func MissingMetadataUserID(service string) error {
 		"the config/corresponding environment variable).",
 		service, defaults.BaseConfigPath())
 }
+
+func MissingAdminUserID(service string) error {
+	return fmt.Errorf("The admin user ID has not been configured for %s. "+
+		"Make sure your %s config contains the proper values "+
+		"(e.g. by running ocis init or setting it manually in "+
+		"the config/corresponding environment variable).",
+		service, defaults.BaseConfigPath())
+}

ocis-pkg/shared/shared_types.go

@@ -45,4 +45,5 @@ type Commons struct {
 	MachineAuthAPIKey string        `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
 	TransferSecret    string        `yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
 	MetadataUserID    string        `yaml:"metadata_user_id" env:"METADATA_USER_ID"`
+	AdminUserID       string        `yaml:"admin_user_id" env:"ADMIN_USER_ID"`
 }

ocis/pkg/init/init.go

@@ -101,6 +101,7 @@ type OcisConfig struct {
 	MachineAuthApiKey string       `yaml:"machine_auth_api_key"`
 	TransferSecret    string       `yaml:"transfer_secret"`
 	MetadataUserID    string       `yaml:"metadata_user_id"`
+	AdminUserID       string       `yaml:"admin_user_id"`
 	Graph             GraphExtension
 	Idp               LdapBasedExtension
 	Idm               IdmExtension
@@ -163,6 +164,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 	}
 
 	metadataUserID := uuid.Must(uuid.NewV4()).String()
+	adminUserID := uuid.Must(uuid.NewV4()).String()
 
 	idmServicePassword, err := generators.GenerateRandomPassword(passwordLength)
 	if err != nil {
@@ -204,6 +206,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 		MachineAuthApiKey: machineAuthApiKey,
 		TransferSecret:    revaTransferSecret,
 		MetadataUserID:    metadataUserID,
+		AdminUserID:       adminUserID,
 		Idm: IdmExtension{
 			ServiceUserPasswords: ServiceUserPasswordsSettings{
 				AdminPassword: ocisAdminServicePassword,