[full-ci] feat: ocisdev-533 graph

.gitignore

@@ -64,4 +64,5 @@ go.work.sum
 .envrc
 CLAUDE.md
 .claude/
+GEMINI.md
 .agents/

.make/go.mk

@@ -118,7 +118,6 @@ debug-linux-docker-amd64: release-dirs
         -gcflags="all=-N -l" \
 		-tags 'netgo $(TAGS)' \
 		-buildmode=exe \
-		-trimpath \
 		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
 		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-amd64' \
 		./cmd/$(NAME)
@@ -130,7 +129,6 @@ debug-linux-docker-arm64: release-dirs
         -gcflags="all=-N -l" \
 		-tags 'netgo $(TAGS)' \
 		-buildmode=exe \
-		-trimpath \
 		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
 		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-arm64' \
 		./cmd/$(NAME)

changelog/unreleased/enhancement-vault-storage.md

@@ -0,0 +1,15 @@
+Enhancement: Add vault storage with MFA-protected access
+
+Added a dedicated vault storage that can be protected with MFA. A separate
+`storage-users-vault` service instance runs in vault mode and serves
+`/vault/users` and `/vault/projects` mount points with a dedicated
+`VaultStorageProviderID`. The `graph` service gained a new vault mode
+(`GRAPH_ENABLE_VAULT_MODE`) that serves the vault API under the `/vault`
+prefix. The storage registry now routes vault-specific requests exclusively to
+the vault storage provider, preventing accidental access to vault spaces when
+no explicit storage ID is provided.
+
+MFA status is propagated through gRPC metadata
+and forwarded in HTTP headers for WOPI/collaboration flows.
+
+https://github.com/owncloud/ocis/pull/12108

deployments/examples/ocis_full/.env

@@ -186,6 +186,11 @@ KEYCLOAK_TRACING=
 # Note: the leading colon is required to enable the service.
 #KEYCLOAK=:keycloak.yml
 
+### oCIS Vault Storage Settings ###
+# Enable the oCIS vault storage
+# Note: the leading colon is required to enable the service.
+#VAULT_STORAGE=:vault-storage.yml
+
 
 ## Default Enabled Services ##
 
@@ -297,4 +302,4 @@ MAIL_SERVER_DOCKER_TAG=v1.29.3
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${S3NG:-}${S3NG_MINIO:-}${COLLABORA:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${PHOTOADDON:-}${ADVANCEDSEARCH:-}${MAIL_SERVER:-}${MONITORING:-}${KEYCLOAK:-}
+COMPOSE_FILE=docker-compose.yml${OCIS:-}${TIKA:-}${S3NG:-}${S3NG_MINIO:-}${COLLABORA:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${PHOTOADDON:-}${ADVANCEDSEARCH:-}${MAIL_SERVER:-}${MONITORING:-}${KEYCLOAK:-}${VAULT_STORAGE:-}

deployments/examples/ocis_full/vault-storage.yml

@@ -0,0 +1,38 @@
+services:
+  ocis:
+    environment:
+      OCIS_MFA_ENABLED: true
+      NATS_NATS_HOST: 0.0.0.0
+      SETTINGS_GRPC_ADDR: ocis:9191
+      PROXY_CREATE_VAULT_HOME: true
+      GRAPH_ENABLE_VAULT_MODE: true
+
+  storage-users-vault:
+    image: ${OCIS_DOCKER_IMAGE}:${OCIS_DOCKER_TAG}
+    networks:
+      ocis-net:
+    depends_on:
+      ocis:
+        condition: service_started
+    command: ["storage-users", "server"]
+    environment:
+      OCIS_LOG_LEVEL: debug
+      OCIS_GATEWAY_GRPC_ADDR: ocis:9142
+      STORAGE_USERS_ENABLE_VAULT_MODE: true
+      STORAGE_USERS_SERVICE_NAME: storage-users-vault
+      STORAGE_USERS_GRPC_ADDR: storage-users-vault:9170
+      STORAGE_USERS_HTTP_ADDR: storage-users-vault:9168
+      STORAGE_USERS_DATA_SERVER_URL: http://storage-users-vault:9168/data
+      STORAGE_USERS_DEBUG_ADDR: storage-users-vault:9169
+      STORAGE_USERS_OCIS_ROOT: /var/lib/ocis/storage/users-vault
+      STORAGE_USERS_EVENTS_CONSUMER_GROUP: vault-dcfs
+      MICRO_REGISTRY_ADDRESS: ocis:9233
+      OCIS_EVENTS_ENDPOINT: ocis:9233
+      OCIS_CACHE_STORE_NODES: ocis:9233
+    volumes:
+      # configure the .env file to use own paths instead of docker internal volumes
+      - ${OCIS_CONFIG_DIR:-ocis-config}:/etc/ocis
+      - ${OCIS_DATA_DIR:-ocis-data}:/var/lib/ocis
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245
-	github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593
+	github.com/owncloud/reva/v2 v2.0.0-20260506065108-b350cd1e8ea1
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og=
-github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593 h1:RNHAod2gNBEac0KQJfJ6+PCX1t7g9hFmONTGrXFvFII=
-github.com/owncloud/reva/v2 v2.0.0-20260324082555-823c2f1c2593/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ=
+github.com/owncloud/reva/v2 v2.0.0-20260506065108-b350cd1e8ea1 h1:ps23cQ/9iLaj3Cd9gD6791QKRAcP1waM+xHAiywylao=
+github.com/owncloud/reva/v2 v2.0.0-20260506065108-b350cd1e8ea1/go.mod h1:oc3sbqju0T4B+ZwXjhe0DOy4916AiAMlJzO6AO7m8ps=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=

ocis-pkg/mfa/mfa.go

@@ -7,7 +7,7 @@ import (
 	"net/http"
 )
 
-// MFAHeader is the header to be used across grpc and http services
+// MFAHeader is the header to be used across http services
 // to forward the access token.
 const MFAHeader = "X-Multi-Factor-Authentication"
 
@@ -57,3 +57,8 @@ func SetHeader(r *http.Request, mfa bool) {
 
 	r.Header.Set(MFAHeader, "false")
 }
+
+// IsMFAHeaderTrue checks if the MFA header is set to "true".
+func IsMFAHeaderTrue(r *http.Request) bool {
+	return r.Header.Get(MFAHeader) == "true"
+}

services/collaboration/pkg/connector/contentconnector.go

@@ -15,6 +15,7 @@ import (
 	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	providerv1beta1 "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
 	"github.com/owncloud/ocis/v2/ocis-pkg/tracing"
 	"github.com/owncloud/ocis/v2/services/collaboration/pkg/config"
 	"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware"
@@ -71,6 +72,9 @@ func newHttpRequest(ctx context.Context, wopiContext middleware.WopiContext, met
 	} else {
 		httpReq.Header.Add("X-Access-Token", wopiContext.AccessToken)
 	}
+	if wopiContext.HasMFA {
+		httpReq.Header.Add(mfa.MFAHeader, "true")
+	}
 	return httpReq, nil
 }
 

services/collaboration/pkg/middleware/wopicontext.go

@@ -36,6 +36,7 @@ type WopiContext struct {
 	FileReference     *providerv1beta1.Reference
 	TemplateReference *providerv1beta1.Reference
 	ViewMode          appproviderv1beta1.ViewMode
+	HasMFA            bool
 }
 
 // WopiContextAuthMiddleware will prepare an HTTP handler to be used as
@@ -133,6 +134,13 @@ func WopiContextAuthMiddleware(cfg *config.Config, st microstore.Store, next htt
 		ctx = ctxpkg.ContextSetUser(ctx, user)
 		ctx = ctxpkg.ContextSetScopes(ctx, scopes)
 
+		// Propagate MFA status embedded in the WOPI token to outgoing gRPC metadata.
+		mfaVal := "false"
+		if claims.WopiContext.HasMFA {
+			mfaVal = "true"
+		}
+		ctx = metadata.AppendToOutgoingContext(ctx, ctxpkg.MFAOutgoingHeader, mfaVal)
+
 		// include additional info in the context's logger
 		wopiLogger = wopiLogger.With().
 			Str("FileReference", claims.WopiContext.FileReference.String()).

services/collaboration/pkg/service/grpc/v0/service.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/url"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -13,10 +14,12 @@ import (
 	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	providerv1beta1 "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	ctxpkg "github.com/owncloud/reva/v2/pkg/ctx"
 	"github.com/owncloud/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/owncloud/reva/v2/pkg/storagespace"
 	"github.com/owncloud/reva/v2/pkg/utils"
 	microstore "go-micro.dev/v4/store"
+	"google.golang.org/grpc/metadata"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 	"github.com/owncloud/ocis/v2/services/collaboration/pkg/config"
@@ -121,11 +124,14 @@ func (s *Service) OpenInApp(
 	}
 
 	// create the wopiContext and generate the token
+	mfav := metadata.ValueFromIncomingContext(ctx, ctxpkg.MFAOutgoingHeader)
+	hasMFA := slices.Contains(mfav, "true")
 	wopiContext := middleware.WopiContext{
 		AccessToken:   req.GetAccessToken(), // it will be encrypted
 		ViewOnlyToken: utils.ReadPlainFromOpaque(req.GetOpaque(), "viewOnlyToken"),
 		FileReference: &providerFileRef,
 		ViewMode:      req.GetViewMode(),
+		HasMFA:        hasMFA,
 	}
 
 	if templateID := utils.ReadPlainFromOpaque(req.GetOpaque(), "template"); templateID != "" {

services/gateway/pkg/config/config.go

@@ -42,6 +42,7 @@ type Config struct {
 	AuthServiceEndpoint       string `yaml:"auth_service_endpoint" env:"GATEWAY_AUTH_SERVICE_ENDPOINT" desc:"The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`
 	StoragePublicLinkEndpoint string `yaml:"storage_public_link_endpoint" env:"GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT" desc:"The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`
 	StorageUsersEndpoint      string `yaml:"storage_users_endpoint" env:"GATEWAY_STORAGE_USERS_ENDPOINT" desc:"The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`
+	StorageUsersVaultEndpoint string `yaml:"storage_users_vault_endpoint" env:"GATEWAY_STORAGE_USERS_VAULT_ENDPOINT" desc:"The endpoint of the storage-users-vault service. The storage-users-vault is an additional storage-users service that runs in vault mode. It can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"Deledda"`
 	StorageSharesEndpoint     string `yaml:"storage_shares_endpoint" env:"GATEWAY_STORAGE_SHARES_ENDPOINT" desc:"The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`
 	AppRegistryEndpoint       string `yaml:"app_registry_endpoint" env:"GATEWAY_APP_REGISTRY_ENDPOINT" desc:"The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`
 	OCMEndpoint               string `yaml:"ocm_endpoint" env:"GATEWAY_OCM_ENDPOINT" desc:"The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol." introductionVersion:"7.0.0"`

services/gateway/pkg/config/defaults/defaultconfig.go

@@ -58,6 +58,7 @@ func DefaultConfig() *config.Config {
 		StoragePublicLinkEndpoint: "com.owncloud.api.storage-publiclink",
 		StorageSharesEndpoint:     "com.owncloud.api.storage-shares",
 		StorageUsersEndpoint:      "com.owncloud.api.storage-users",
+		StorageUsersVaultEndpoint: "com.owncloud.api.storage-users-vault",
 		UsersEndpoint:             "com.owncloud.api.users",
 		OCMEndpoint:               "com.owncloud.api.ocm",
 

services/gateway/pkg/revaconfig/config.go

@@ -152,6 +152,22 @@ func spacesProviders(cfg *config.Config, logger log.Logger) map[string]map[strin
 				},
 			},
 		},
+		cfg.StorageUsersVaultEndpoint: {
+			// Use the dedicated storage provider for vault
+			"providerid": utils.VaultStorageProviderID,
+			"spaces": map[string]interface{}{
+				"personal": map[string]interface{}{
+					// The mount point must have the "vault/" prefix to be picked up by the vault storage provider
+					"mount_point":   "/vault/users",
+					"path_template": "/vault/users/{{.Space.Owner.Id.OpaqueId}}",
+				},
+				"project": map[string]interface{}{
+					// The mount point must have the "vault/" prefix to be picked up by the vault storage provider
+					"mount_point":   "/vault/projects",
+					"path_template": "/vault/projects/{{.Space.Name}}",
+				},
+			},
+		},
 		cfg.StorageSharesEndpoint: {
 			"providerid": utils.ShareStorageProviderID,
 			"spaces": map[string]interface{}{

services/graph/pkg/config/config.go

@@ -39,6 +39,8 @@ type Config struct {
 
 	Validation Validation `yaml:"validation"`
 
+	EnableVaultMode bool `yaml:"enable_vault_mode" env:"GRAPH_ENABLE_VAULT_MODE" desc:"Enable vault mode in addition to the regular graph service. This only applies when the additional storage-users-vault service is running, which is a special configured storage-users service." introductionVersion:"Deledda"`
+
 	Context context.Context `yaml:"-"`
 }
 
@@ -50,6 +52,7 @@ type Spaces struct {
 	UsersCacheTTL                   int    `yaml:"users_cache_ttl" env:"GRAPH_SPACES_USERS_CACHE_TTL" desc:"Max TTL in seconds for the spaces users cache." introductionVersion:"pre5.0"`
 	GroupsCacheTTL                  int    `yaml:"groups_cache_ttl" env:"GRAPH_SPACES_GROUPS_CACHE_TTL" desc:"Max TTL in seconds for the spaces groups cache." introductionVersion:"pre5.0"`
 	StorageUsersAddress             string `yaml:"storage_users_address" env:"GRAPH_SPACES_STORAGE_USERS_ADDRESS" desc:"The address of the storage-users service." introductionVersion:"5.0"`
+	StorageUsersVaultAddress        string `yaml:"storage_users_vault_address" env:"GRAPH_SPACES_STORAGE_USERS_VAULT_ADDRESS" desc:"The address of the storage-users-vault service, a special configured storage-users service. Applicable only when 'GRAPH_ENABLE_VAULT_MODE' is enabled." introductionVersion:"Deledda"`
 	DefaultLanguage                 string `yaml:"default_language" env:"OCIS_DEFAULT_LANGUAGE" desc:"The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details." introductionVersion:"5.0"`
 	TranslationPath                 string `yaml:"translation_path" env:"OCIS_TRANSLATION_PATH;GRAPH_TRANSLATION_PATH" desc:"(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details." introductionVersion:"7.0.0"`
 }

services/graph/pkg/config/defaults/defaultconfig.go

@@ -68,10 +68,11 @@ func DefaultConfig() *config.Config {
 		},
 		Reva: shared.DefaultRevaConfig(),
 		Spaces: config.Spaces{
-			StorageUsersAddress: "com.owncloud.api.storage-users",
-			WebDavBase:          "https://localhost:9200",
-			WebDavPath:          "/dav/spaces/",
-			DefaultQuota:        "1000000000",
+			StorageUsersAddress:      "com.owncloud.api.storage-users",
+			StorageUsersVaultAddress: "com.owncloud.api.storage-users-vault",
+			WebDavBase:               "https://localhost:9200",
+			WebDavPath:               "/dav/spaces/",
+			DefaultQuota:             "1000000000",
 			// 1 minute
 			ExtendedSpacePropertiesCacheTTL: 60,
 			// 1 minute

services/graph/pkg/middleware/auth.go

@@ -93,6 +93,15 @@ func Auth(opts ...account.Option) func(http.Handler) http.Handler {
 				ctx = metadata.AppendToOutgoingContext(ctx, ctxpkg.InitiatorHeader, initiatorID)
 			}
 
+			// Propagate MFA status to outgoing gRPC metadata so that services
+			// protected by the mfa interceptor (e.g. storage-users-vault)
+			// can enforce MFA at the gRPC layer.
+			mfaVal := "false"
+			if mfa.Has(ctx) {
+				mfaVal = "true"
+			}
+			ctx = metadata.AppendToOutgoingContext(ctx, revactx.MFAOutgoingHeader, mfaVal)
+
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}

services/graph/pkg/middleware/mfa.go

@@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
+)
+
+// RequireMFA middleware is used to require the user in context to have MFA satisfied
+func RequireMFA(logger log.Logger) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if !mfa.Has(r.Context()) {
+				l := logger.SubloggerWithRequestID(r.Context())
+				l.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+				mfa.SetRequiredStatus(w)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

services/graph/pkg/middleware/vault.go

@@ -0,0 +1,30 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+)
+
+type key int
+
+const vaultModeKey key = iota
+
+// SetVaultMode sets the vault mode in the context.
+func SetVaultMode(ctx context.Context, enabled bool) context.Context {
+	return context.WithValue(ctx, vaultModeKey, enabled)
+}
+
+// IsVaultMode checks if the vault mode is enabled in the context.
+func IsVaultMode(ctx context.Context) bool {
+	val, ok := ctx.Value(vaultModeKey).(bool)
+	return val && ok
+}
+
+// VaultModeMiddleware is a middleware that sets the vault mode in the context.
+func VaultModeMiddleware() func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			next.ServeHTTP(w, r.WithContext(SetVaultMode(r.Context(), true)))
+		})
+	}
+}

services/graph/pkg/service/v0/driveitems.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/errorcode"
+	"github.com/owncloud/ocis/v2/services/graph/pkg/middleware"
 )
 
 // CreateUploadSession create an upload session to allow your app to upload files up to the maximum file size.
@@ -154,13 +155,19 @@ func (g Graph) GetRootDriveChildren(w http.ResponseWriter, r *http.Request) {
 
 	currentUser := revactx.ContextMustGetUser(r.Context())
 	// do we need to list all or only the personal drive
-	filters := []*storageprovider.ListStorageSpacesRequest_Filter{}
-	filters = append(filters, listStorageSpacesUserFilter(currentUser.GetId().GetOpaqueId()))
-	filters = append(filters, listStorageSpacesTypeFilter("personal"))
+	listReq := &storageprovider.ListStorageSpacesRequest{
+		Filters: []*storageprovider.ListStorageSpacesRequest_Filter{
+			listStorageSpacesUserFilter(currentUser.GetId().GetOpaqueId()),
+			listStorageSpacesTypeFilter("personal"),
+		},
+	}
 
-	res, err := gatewayClient.ListStorageSpaces(ctx, &storageprovider.ListStorageSpacesRequest{
-		Filters: filters,
-	})
+	// force vault storage space if vault mode is enabled
+	if middleware.IsVaultMode(ctx) {
+		listReq.Opaque = utils.AppendPlainToOpaque(listReq.Opaque, "storage_id", utils.VaultStorageProviderID)
+	}
+
+	res, err := gatewayClient.ListStorageSpaces(ctx, listReq)
 	switch {
 	case err != nil:
 		g.logger.Error().Err(err).Msg("error making ListStorageSpaces grpc call")