[full-ci] feat: ocisdev-533 graph

.gitignore

@@ -57,6 +57,7 @@ protogen/buf.sha1.lock
 /third-party-licenses
 
 # misc
+.agents/
 /tmp
 go.work
 go.work.sum

.make/go.mk

@@ -118,7 +118,6 @@ debug-linux-docker-amd64: release-dirs
         -gcflags="all=-N -l" \
 		-tags 'netgo $(TAGS)' \
 		-buildmode=exe \
-		-trimpath \
 		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
 		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-amd64' \
 		./cmd/$(NAME)
@@ -130,7 +129,6 @@ debug-linux-docker-arm64: release-dirs
         -gcflags="all=-N -l" \
 		-tags 'netgo $(TAGS)' \
 		-buildmode=exe \
-		-trimpath \
 		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
 		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-arm64' \
 		./cmd/$(NAME)

deployments/examples/ocis_full/.env

@@ -186,6 +186,11 @@ KEYCLOAK_TRACING=
 # Note: the leading colon is required to enable the service.
 #KEYCLOAK=:keycloak.yml
 
+### oCIS Vault Storage Settings ###
+# Enable the oCIS vault storage
+# Note: the leading colon is required to enable the service.
+#VAULT_STORAGE=:vault-storage.yml
+
 
 ## Default Enabled Services ##
 
@@ -297,4 +302,4 @@ MAIL_SERVER_DOCKER_TAG=v1.29.3
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${S3NG:-}${S3NG_MINIO:-}${COLLABORA:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${PHOTOADDON:-}${ADVANCEDSEARCH:-}${MAIL_SERVER:-}${MONITORING:-}${KEYCLOAK:-}
+COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${S3NG:-}${S3NG_MINIO:-}${COLLABORA:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${PHOTOADDON:-}${ADVANCEDSEARCH:-}${MAIL_SERVER:-}${MONITORING:-}${KEYCLOAK:-}${VAULT_STORAGE:-}

deployments/examples/ocis_full/vault-storage.yml

@@ -0,0 +1,37 @@
+services:
+  ocis:
+    environment:
+      OCIS_MFA_ENABLED: true
+      NATS_NATS_HOST: 0.0.0.0
+      SETTINGS_GRPC_ADDR: ocis:9191
+      PROXY_CREATE_VAULT_HOME: true
+      GRAPH_ENABLE_VAULT_MODE: true
+
+  storage-users-vault:
+    image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
+    networks:
+      ocis-net:
+    depends_on:
+      ocis:
+        condition: service_started
+    command: ["storage-users", "server"]
+    environment:
+      OCIS_LOG_LEVEL: debug
+      OCIS_GATEWAY_GRPC_ADDR: ocis:9142
+      STORAGE_USERS_ENABLE_VAULT_MODE: true
+      STORAGE_USERS_SERVICE_NAME: storage-users-vault
+      STORAGE_USERS_GRPC_ADDR: storage-users-vault:9170
+      STORAGE_USERS_HTTP_ADDR: storage-users-vault:9168
+      STORAGE_USERS_DATA_SERVER_URL: http://storage-users-vault:9168/data
+      STORAGE_USERS_DEBUG_ADDR: storage-users-vault:9169
+      STORAGE_USERS_OCIS_ROOT: /var/lib/ocis/storage/users-vault
+      STORAGE_USERS_EVENTS_CONSUMER_GROUP: vault-dcfs
+      MICRO_REGISTRY_ADDRESS: ocis:9233
+      OCIS_EVENTS_ENDPOINT: ocis:9233
+      OCIS_CACHE_STORE_NODES: ocis:9233
+    volumes:
+      - ocis-data:/var/lib/ocis
+      - ocis-config:/etc/ocis
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245
-	github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593
+	github.com/owncloud/reva/v2 v2.0.0-20260324173335-cc6175484320
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og=
-github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593 h1:RNHAod2gNBEac0KQJfJ6+PCX1t7g9hFmONTGrXFvFII=
-github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ=
+github.com/owncloud/reva/v2 v2.0.0-20260324173335-cc6175484320 h1:UPOCuW88zJx9UYevS3j3dqI9ncjBihcBP7o0Igvl0ZI=
+github.com/owncloud/reva/v2 v2.0.0-20260324173335-cc6175484320/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=

services/gateway/pkg/config/config.go

@@ -85,18 +85,11 @@ type StorageRegistry struct {
 
 // Cache holds cache config
 type Cache struct {
-	ProviderCacheStore                string        `yaml:"provider_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_PROVIDER_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"`
-	ProviderCacheNodes                []string      `yaml:"provider_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_PROVIDER_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
-	ProviderCacheDatabase             string        `yaml:"provider_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"`
-	ProviderCacheTTL                  time.Duration `yaml:"provider_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_PROVIDER_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
-	ProviderCacheDisablePersistence   bool          `yaml:"provider_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"`
-	ProviderCacheAuthUsername         string        `yaml:"provider_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
-	ProviderCacheAuthPassword         string        `yaml:"provider_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
-	CreateHomeCacheStore              string        `yaml:"create_home_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"`
-	CreateHomeCacheNodes              []string      `yaml:"create_home_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
-	CreateHomeCacheDatabase           string        `yaml:"create_home_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"`
-	CreateHomeCacheTTL                time.Duration `yaml:"create_home_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
-	CreateHomeCacheDisablePersistence bool          `yaml:"create_home_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"`
-	CreateHomeCacheAuthUsername       string        `yaml:"create_home_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
-	CreateHomeCacheAuthPassword       string        `yaml:"create_home_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
+	ProviderCacheStore              string        `yaml:"provider_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_PROVIDER_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"`
+	ProviderCacheNodes              []string      `yaml:"provider_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_PROVIDER_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
+	ProviderCacheDatabase           string        `yaml:"provider_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"`
+	ProviderCacheTTL                time.Duration `yaml:"provider_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_PROVIDER_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"`
+	ProviderCacheDisablePersistence bool          `yaml:"provider_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"`
+	ProviderCacheAuthUsername       string        `yaml:"provider_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
+	ProviderCacheAuthPassword       string        `yaml:"provider_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"`
 }

services/gateway/pkg/config/defaults/defaultconfig.go

@@ -39,14 +39,10 @@ func DefaultConfig() *config.Config {
 		DisableHomeCreationOnLogin: true,
 		TransferExpires:            24 * 60 * 60,
 		Cache: config.Cache{
-			ProviderCacheStore:      "noop",
-			ProviderCacheNodes:      []string{"127.0.0.1:9233"},
-			ProviderCacheDatabase:   "cache-providers",
-			ProviderCacheTTL:        300 * time.Second,
-			CreateHomeCacheStore:    "memory",
-			CreateHomeCacheNodes:    []string{"127.0.0.1:9233"},
-			CreateHomeCacheDatabase: "cache-createhome",
-			CreateHomeCacheTTL:      300 * time.Second,
+			ProviderCacheStore:    "noop",
+			ProviderCacheNodes:    []string{"127.0.0.1:9233"},
+			ProviderCacheDatabase: "cache-providers",
+			ProviderCacheTTL:      300 * time.Second,
 		},
 
 		FrontendPublicURL: "https://localhost:9200",

services/gateway/pkg/revaconfig/config.go

@@ -75,16 +75,6 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i
 						"cache_auth_username": cfg.Cache.ProviderCacheAuthUsername,
 						"cache_auth_password": cfg.Cache.ProviderCacheAuthPassword,
 					},
-					"create_personal_space_cache_config": map[string]interface{}{
-						"cache_store":               cfg.Cache.CreateHomeCacheStore,
-						"cache_nodes":               cfg.Cache.CreateHomeCacheNodes,
-						"cache_database":            cfg.Cache.CreateHomeCacheDatabase,
-						"cache_table":               "create_personal_space",
-						"cache_ttl":                 cfg.Cache.CreateHomeCacheTTL,
-						"cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence,
-						"cache_auth_username":       cfg.Cache.CreateHomeCacheAuthUsername,
-						"cache_auth_password":       cfg.Cache.CreateHomeCacheAuthPassword,
-					},
 				},
 				"authregistry": map[string]interface{}{
 					"driver": "static",
@@ -162,6 +152,22 @@ func spacesProviders(cfg *config.Config, logger log.Logger) map[string]map[strin
 				},
 			},
 		},
+		"com.owncloud.api.storage-users-vault": {
+			// Use the dedicated storage provider for vault
+			"providerid": utils.VaultStorageProviderID,
+			"spaces": map[string]interface{}{
+				"personal": map[string]interface{}{
+					// The mount point must have the "vault/" prefix to be picked up by the vault storage provider
+					"mount_point":   "/vault/users",
+					"path_template": "/vault/users/{{.Space.Owner.Id.OpaqueId}}",
+				},
+				"project": map[string]interface{}{
+					// The mount point must have the "vault/" prefix to be picked up by the vault storage provider
+					"mount_point":   "/vault/projects",
+					"path_template": "/vault/projects/{{.Space.Name}}",
+				},
+			},
+		},
 		cfg.StorageSharesEndpoint: {
 			"providerid": utils.ShareStorageProviderID,
 			"spaces": map[string]interface{}{

services/graph/pkg/config/config.go

@@ -39,6 +39,8 @@ type Config struct {
 
 	Validation Validation `yaml:"validation"`
 
+	EnableVaultMode bool `yaml:"enable_vault_mode" env:"GRAPH_ENABLE_VAULT_MODE" desc:"Enable vault mode for the graph service runned in addition to the regular graph service. Required the running the storage-users-vault additional service." introductionVersion:"daledda"`
+
 	Context context.Context `yaml:"-"`
 }
 

services/graph/pkg/config/service.go

@@ -2,5 +2,5 @@ package config
 
 // Service defines the available service configuration.
 type Service struct {
-	Name string `yaml:"-"`
+	Name string `yaml:"name" env:"GRAPH_SERVICE_NAME" desc:"The name of the service." introductionVersion:"daledda"`
 }

services/graph/pkg/middleware/mfa.go

@@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
+)
+
+// RequireMFA middleware is used to require the user in context to have MFA satisfied
+func RequireMFA(logger log.Logger) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if !mfa.Has(r.Context()) {
+				l := logger.SubloggerWithRequestID(r.Context())
+				l.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+				mfa.SetRequiredStatus(w)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

services/graph/pkg/middleware/vault.go

@@ -0,0 +1,27 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+)
+
+type key int
+
+const vaultModeKey key = iota
+
+func SetVaultMode(ctx context.Context, enabled bool) context.Context {
+	return context.WithValue(ctx, vaultModeKey, enabled)
+}
+
+func IsVaultMode(ctx context.Context) bool {
+	val, ok := ctx.Value(vaultModeKey).(bool)
+	return val && ok
+}
+
+func VaultModeMiddleware() func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			next.ServeHTTP(w, r.WithContext(SetVaultMode(r.Context(), true)))
+		})
+	}
+}

services/graph/pkg/service/v0/driveitems.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/errorcode"
+	"github.com/owncloud/ocis/v2/services/graph/pkg/middleware"
 )
 
 // CreateUploadSession create an upload session to allow your app to upload files up to the maximum file size.
@@ -158,6 +159,11 @@ func (g Graph) GetRootDriveChildren(w http.ResponseWriter, r *http.Request) {
 	filters = append(filters, listStorageSpacesUserFilter(currentUser.GetId().GetOpaqueId()))
 	filters = append(filters, listStorageSpacesTypeFilter("personal"))
 
+	// force vault storage space if vault mode is enabled
+	if middleware.IsVaultMode(ctx) {
+		filters = append(filters, listStorageSpacesIDFilter(storagespace.FormatStorageID(utils.VaultStorageProviderID, currentUser.GetId().GetOpaqueId())))
+	}
+
 	res, err := gatewayClient.ListStorageSpaces(ctx, &storageprovider.ListStorageSpacesRequest{
 		Filters: filters,
 	})

services/graph/pkg/service/v0/drives.go

@@ -29,10 +29,10 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/l10n"
-	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
 	v0 "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/settings/v0"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/errorcode"
+	"github.com/owncloud/ocis/v2/services/graph/pkg/middleware"
 	settingsServiceExt "github.com/owncloud/ocis/v2/services/settings/pkg/store/defaults"
 )
 
@@ -133,13 +133,6 @@ func (g Graph) GetAllDrives(version APIVersion) http.HandlerFunc {
 // GetAllDrivesV1 attempts to retrieve the current users drives;
 // it includes another user's drives, if the current user has the permission.
 func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
-	if !mfa.Has(r.Context()) {
-		logger := g.logger.SubloggerWithRequestID(r.Context())
-		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
-		mfa.SetRequiredStatus(w)
-		return
-	}
-
 	spaces, errCode := g.getDrives(r, true, APIVersion_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
@@ -160,13 +153,6 @@ func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
 // it includes the grantedtoV2 property
 // it uses unified roles instead of the cs3 representations
 func (g Graph) GetAllDrivesV1Beta1(w http.ResponseWriter, r *http.Request) {
-	if !mfa.Has(r.Context()) {
-		logger := g.logger.SubloggerWithRequestID(r.Context())
-		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
-		mfa.SetRequiredStatus(w)
-		return
-	}
-
 	drives, errCode := g.getDrives(r, true, APIVersion_1_Beta_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
@@ -437,6 +423,11 @@ func (g Graph) createDrive(w http.ResponseWriter, r *http.Request, apiVersion AP
 		csr.Owner = us
 	}
 
+	// force vault storage space if vault mode is enabled
+	if middleware.IsVaultMode(ctx) {
+		csr.Opaque = utils.AppendPlainToOpaque(csr.Opaque, "storage_id", utils.VaultStorageProviderID)
+	}
+
 	resp, err := gatewayClient.CreateStorageSpace(ctx, &csr)
 	if err != nil {
 		logger.Error().Err(err).Msg("could not create drive: transport error")
@@ -762,6 +753,7 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor
 	if err != nil {
 		return nil, err
 	}
+
 	lReq := &storageprovider.ListStorageSpacesRequest{
 		Opaque: &types.Opaque{Map: map[string]*types.OpaqueEntry{
 			"permissions": {
@@ -776,6 +768,11 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor
 		Filters: filters,
 	}
 
+	// force vault storage space if vault mode is enabled
+	if middleware.IsVaultMode(ctx) {
+		utils.AppendPlainToOpaque(lReq.Opaque, "storage_id", utils.VaultStorageProviderID)
+	}
+
 	gatewayClient, err := g.gatewaySelector.Next()
 	if err != nil {
 		return nil, err