jgaunt/seafile-sso
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first draft for sso active/disable

Browse Source
This commit is contained in:
John Gaunt
2022-05-23 19:12:09 -04:00
parent 08329e0cf4
commit 91d1673bbd
1 changed files with 25 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
seafile-sso.py
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env python
from ldap import filter
from ldap3 import Connection, Server, ANONYMOUS, SIMPLE, SYNC, ASYNC, core
from getpass import getpass
import configparser
@@ -105,16 +104,6 @@ else:
# Seafile url
seafileURL = ccnetConfig['General']['SERVICE_URL']
# DB config
dbEngine = ccnetConfig['Database']['ENGINE']
dbHost = ccnetConfig['Database']['HOST']
dbPort = ccnetConfig['Database'].getint('PORT')
dbUser = ccnetConfig['Database']['USER']
dbPassword = ccnetConfig['Database']['PASSWD']
dbName = ccnetConfig['Database']['DB']
dbCharset = ccnetConfig['Database']['CONNECTION_CHARSET']
logger.debug("DB Engine: {0}, DB Host: {1}, DB Port: {2}, DB User: {3}, DB Name: {4}, DB Connection Charset: {5}".format(dbEngine, dbHost, dbPort, dbUser, dbName, dbCharset))
# ldap Config
ldapHost = ccnetConfig['LDAP']['HOST']
#ldapPort = ccnetConfig['LDAP SERVER'].getint('port')
@@ -127,17 +116,6 @@ logger.debug("LDAP Host: {0}, LDAP Base: {1}, LDAP User DN: {2}, LDAP Filter: {3
logger.debug("Finished reading the ccnet.conf file.")
# Config DB Varaibles
dbconfig = {
'user': dbUser,
'password': dbPassword,
'host': dbHost,
'port': dbPort,
'database': dbName,
'charset': dbCharset,
'raise_on_warnings': True
}
# setup the server
ldapServer = Server(ldapHost)
logger.debug("Setup LDAP server connection uri: {0}".format(ldapServer))
@@ -150,92 +128,36 @@ logger.debug("Bind successful.")
# get seafile users and loop through and check group membership and disable or not
# Get seafile users from LDAP
logger.debug("Searching for users that have a email address, are enabled, and in the {} group.".format(ldapFilter))
ldap.search(ldapBase, '(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))({0}))'.format(ldapFilter), attributes=['*'])
logger.debug("Found {0} LDAP users.".format(len(ldap.entries)))
ldapUsers = ldap.entries
for user in ldapUsers:
logger.debug("User: {0} - Email: {1} - UserDN: {2}".format(user.displayName, user.mail, user.distinguishedName))
# Starting query for seafile ldap users
seafileLDAPUsers = []
logger.debug("Starting query for LDAPUsers in Seafile")
seafileUsers = request('admin/search-user/?query=@{0}'.format(adminEmail.split("@")[1]), seafileURL, seafileToken)['response']['user_list']
logger.debug("Starting query for users in Seafile")
seafileUsers = request('admin/users/', seafileURL, seafileToken)['response']['data']
# need to substract one from the len as the admin account is in the list
logger.debug("Found {0} Seafile LDAP users".format(len(seafileUsers)-1))
logger.debug("Found {0} Seafile users".format(len(seafileUsers)-1))
for seafileUser in seafileUsers:
if seafileUser['email'] == adminEmail:
continue
else:
logger.debug("User: {0} - Active: {1}".format(seafileUser['email'], bool(seafileUser['is_active'])))
seafileLDAPUsers.append(seafileUser)
# Loop through the ldap users and make sure they are in the sql ldap users table
# if they are not in the sql table, insert a new row to add them
# if they are disabled in the sql table, enable them
for ldapUser in ldapUsers:
logger.debug("Searching if LDAP user {0} is in Seafile".format(ldapUser.mail))
checkSeafileUser = request('admin/search-user/?query={0}'.format(ldapUser.mail), seafileURL, seafileToken)['response']['user_list']
# loop through the results and make sure we match on the email
for seafileUser in checkSeafileUser:
if seafileUser['email'] == ldapUser.mail:
# User is in the sql table
# are they active
is_active = bool(seafileUser['is_active'])
# log the results
logger.debug("LDAP User {0} is already in Seafile, Is Active: {1}".format(ldapUser.mail, is_active))
# if user is not active, they should be
if not is_active:
logger.info("User {0} is NOT active in Seafile".format(ldapUser.mail))
# call the api to enable the user in seafile
enableSeafileUser = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response']
if enableSeafileUser['is_active']:
logger.info("User {0} was set to active in Seafile".format(ldapUser.mail))
else:
logger.error("There was an error setting user {0} to active in Seafile".format(ldapUser.mail))
# user is not in the SQL table
else:
logger.info("LDAP User {0} is NOT in Seafile".format(ldapUser.mail))
# add user to ldap table
cnx = mysql.connector.connect(**dbconfig)
cursor = cnx.cursor()
query = "INSERT INTO LDAPUsers (email, password, is_staff, is_active) VALUES ('{0}', '', {1}, {2})".format(ldapUser.mail, 0, 1)
logger.debug("Query: {0}".format(query))
cursor.execute(query)
cnx.commit()
row_count = cursor.rowcount
if row_count == 1:
logger.info("LDAP user {0} was added to the Seafile SQL Table".format(ldapUser.mail))
logger.debug("Checking if {0} user has an email, is active, and is in the seafile group")
ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileUser['email'], ldapFilter), attributes=['*'])
count = len(ldap.entries)
logger.debug("Found {0} LDAP user.".format(count))
if count == 0:
logger.debug("User {0} doesn't have an email, isn't active, or isn't in the seafile group, disabling in seafile...".format(seafileUser['email']))
if not seafileUser['is_active']:
logger.debug("User {0} is already disabled in Seafile".format(seafileUser['email']))
continue
disableUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response']
if not disableUserinSeafile['is_active']:
logger.info("User {0} was set to disabled in Seafile".format(seafileUser['email']))
else:
logger.error("Failed to add LDAP user {0} to the Seafile SQL Table".format(ldapUser.mail))
cnx.close()
# Update seafile user profile with new name
updateSeafileUserName = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"name": "{0}".format(ldapUser.displayName)})
if updateSeafileUserName['ok']:
logger.debug("User {0} name was updated to {1}".format(ldapUser.mail, ldapUser.displayName))
else:
logger.error("There was an error setting user {0} name to {1}".format(ldapUser.mail, ldapUser.displayName))
# Loop through the sql ldap users and disable those not in the ldap list
for seafileLDAPUser in seafileLDAPUsers:
if not seafileLDAPUser['is_active']:
logger.debug("User {0} is already disabled in Seafile".format(seafileLDAPUser['email']))
continue
logger.debug("Searching for user {0} that has an email address, are enabled, and in the {1} group.".format(seafileLDAPUser['email'], ldapFilter))
ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileLDAPUser['email'], ldapFilter), attributes=['*'])
count = len(ldap.entries)
logger.debug("Found {0} LDAP user.".format(count))
if count == 0:
# User is not enabled, have email, or in the group, disable their account
disableUserinSeafile = request('admin/users/{0}/'.format(seafileLDAPUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response']
if not disableUserinSeafile['is_active']:
logger.info("User {0} was set to disabled in Seafile".format(seafileLDAPUser['email']))
logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileUser['email']))
else:
logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileLDAPUser['email']))
logger.debug("User {0} has an email, is active, and is in the seafile group".format(seafileUser['email']))
if seafileUser['is_active']:
logger.debug("User {0} is already active in Seafile".format(seafileUser['email']))
continue
ActiveUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response']
if not ActiveUserinSeafile['is_active']:
logger.info("User {0} was set to active in Seafile".format(seafileUser['email']))
else:
logger.error("There was an error setting user {0} to active in Seafile".format(seafileUser['email'])