diff --git a/seafile-sso.py b/seafile-sso.py index f4a760c..c28fc1a 100644 --- a/seafile-sso.py +++ b/seafile-sso.py @@ -1,6 +1,5 @@ #!/usr/bin/env python -from ldap import filter from ldap3 import Connection, Server, ANONYMOUS, SIMPLE, SYNC, ASYNC, core from getpass import getpass import configparser @@ -105,16 +104,6 @@ else: # Seafile url seafileURL = ccnetConfig['General']['SERVICE_URL'] -# DB config -dbEngine = ccnetConfig['Database']['ENGINE'] -dbHost = ccnetConfig['Database']['HOST'] -dbPort = ccnetConfig['Database'].getint('PORT') -dbUser = ccnetConfig['Database']['USER'] -dbPassword = ccnetConfig['Database']['PASSWD'] -dbName = ccnetConfig['Database']['DB'] -dbCharset = ccnetConfig['Database']['CONNECTION_CHARSET'] -logger.debug("DB Engine: {0}, DB Host: {1}, DB Port: {2}, DB User: {3}, DB Name: {4}, DB Connection Charset: {5}".format(dbEngine, dbHost, dbPort, dbUser, dbName, dbCharset)) - # ldap Config ldapHost = ccnetConfig['LDAP']['HOST'] #ldapPort = ccnetConfig['LDAP SERVER'].getint('port') @@ -127,17 +116,6 @@ logger.debug("LDAP Host: {0}, LDAP Base: {1}, LDAP User DN: {2}, LDAP Filter: {3 logger.debug("Finished reading the ccnet.conf file.") -# Config DB Varaibles -dbconfig = { - 'user': dbUser, - 'password': dbPassword, - 'host': dbHost, - 'port': dbPort, - 'database': dbName, - 'charset': dbCharset, - 'raise_on_warnings': True -} - # setup the server ldapServer = Server(ldapHost) logger.debug("Setup LDAP server connection uri: {0}".format(ldapServer)) @@ -150,92 +128,36 @@ logger.debug("Bind successful.") # get seafile users and loop through and check group membership and disable or not - - -# Get seafile users from LDAP -logger.debug("Searching for users that have a email address, are enabled, and in the {} group.".format(ldapFilter)) -ldap.search(ldapBase, '(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))({0}))'.format(ldapFilter), attributes=['*']) -logger.debug("Found {0} LDAP users.".format(len(ldap.entries))) -ldapUsers = ldap.entries -for user in ldapUsers: - logger.debug("User: {0} - Email: {1} - UserDN: {2}".format(user.displayName, user.mail, user.distinguishedName)) - - -# Starting query for seafile ldap users -seafileLDAPUsers = [] -logger.debug("Starting query for LDAPUsers in Seafile") -seafileUsers = request('admin/search-user/?query=@{0}'.format(adminEmail.split("@")[1]), seafileURL, seafileToken)['response']['user_list'] +logger.debug("Starting query for users in Seafile") +seafileUsers = request('admin/users/', seafileURL, seafileToken)['response']['data'] # need to substract one from the len as the admin account is in the list -logger.debug("Found {0} Seafile LDAP users".format(len(seafileUsers)-1)) +logger.debug("Found {0} Seafile users".format(len(seafileUsers)-1)) for seafileUser in seafileUsers: if seafileUser['email'] == adminEmail: continue else: logger.debug("User: {0} - Active: {1}".format(seafileUser['email'], bool(seafileUser['is_active']))) - seafileLDAPUsers.append(seafileUser) - - - -# Loop through the ldap users and make sure they are in the sql ldap users table -# if they are not in the sql table, insert a new row to add them -# if they are disabled in the sql table, enable them -for ldapUser in ldapUsers: - logger.debug("Searching if LDAP user {0} is in Seafile".format(ldapUser.mail)) - checkSeafileUser = request('admin/search-user/?query={0}'.format(ldapUser.mail), seafileURL, seafileToken)['response']['user_list'] - # loop through the results and make sure we match on the email - for seafileUser in checkSeafileUser: - if seafileUser['email'] == ldapUser.mail: - # User is in the sql table - # are they active - is_active = bool(seafileUser['is_active']) - # log the results - logger.debug("LDAP User {0} is already in Seafile, Is Active: {1}".format(ldapUser.mail, is_active)) - # if user is not active, they should be - if not is_active: - logger.info("User {0} is NOT active in Seafile".format(ldapUser.mail)) - # call the api to enable the user in seafile - enableSeafileUser = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response'] - if enableSeafileUser['is_active']: - logger.info("User {0} was set to active in Seafile".format(ldapUser.mail)) - else: - logger.error("There was an error setting user {0} to active in Seafile".format(ldapUser.mail)) - # user is not in the SQL table - else: - logger.info("LDAP User {0} is NOT in Seafile".format(ldapUser.mail)) - # add user to ldap table - cnx = mysql.connector.connect(**dbconfig) - cursor = cnx.cursor() - query = "INSERT INTO LDAPUsers (email, password, is_staff, is_active) VALUES ('{0}', '', {1}, {2})".format(ldapUser.mail, 0, 1) - logger.debug("Query: {0}".format(query)) - cursor.execute(query) - cnx.commit() - row_count = cursor.rowcount - if row_count == 1: - logger.info("LDAP user {0} was added to the Seafile SQL Table".format(ldapUser.mail)) + logger.debug("Checking if {0} user has an email, is active, and is in the seafile group") + ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileUser['email'], ldapFilter), attributes=['*']) + count = len(ldap.entries) + logger.debug("Found {0} LDAP user.".format(count)) + if count == 0: + logger.debug("User {0} doesn't have an email, isn't active, or isn't in the seafile group, disabling in seafile...".format(seafileUser['email'])) + if not seafileUser['is_active']: + logger.debug("User {0} is already disabled in Seafile".format(seafileUser['email'])) + continue + disableUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response'] + if not disableUserinSeafile['is_active']: + logger.info("User {0} was set to disabled in Seafile".format(seafileUser['email'])) else: - logger.error("Failed to add LDAP user {0} to the Seafile SQL Table".format(ldapUser.mail)) - cnx.close() - # Update seafile user profile with new name - updateSeafileUserName = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"name": "{0}".format(ldapUser.displayName)}) - if updateSeafileUserName['ok']: - logger.debug("User {0} name was updated to {1}".format(ldapUser.mail, ldapUser.displayName)) - else: - logger.error("There was an error setting user {0} name to {1}".format(ldapUser.mail, ldapUser.displayName)) - -# Loop through the sql ldap users and disable those not in the ldap list -for seafileLDAPUser in seafileLDAPUsers: - if not seafileLDAPUser['is_active']: - logger.debug("User {0} is already disabled in Seafile".format(seafileLDAPUser['email'])) - continue - logger.debug("Searching for user {0} that has an email address, are enabled, and in the {1} group.".format(seafileLDAPUser['email'], ldapFilter)) - ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileLDAPUser['email'], ldapFilter), attributes=['*']) - count = len(ldap.entries) - logger.debug("Found {0} LDAP user.".format(count)) - if count == 0: - # User is not enabled, have email, or in the group, disable their account - disableUserinSeafile = request('admin/users/{0}/'.format(seafileLDAPUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response'] - if not disableUserinSeafile['is_active']: - logger.info("User {0} was set to disabled in Seafile".format(seafileLDAPUser['email'])) + logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileUser['email'])) else: - logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileLDAPUser['email'])) - + logger.debug("User {0} has an email, is active, and is in the seafile group".format(seafileUser['email'])) + if seafileUser['is_active']: + logger.debug("User {0} is already active in Seafile".format(seafileUser['email'])) + continue + ActiveUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response'] + if not ActiveUserinSeafile['is_active']: + logger.info("User {0} was set to active in Seafile".format(seafileUser['email'])) + else: + logger.error("There was an error setting user {0} to active in Seafile".format(seafileUser['email']) \ No newline at end of file