jgaunt/seafile-sso
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first draft for sso active/disable

Browse Source
This commit is contained in:
John Gaunt
2022-05-23 19:12:09 -04:00
parent 08329e0cf4
commit 91d1673bbd
1 changed files with 25 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
seafile-sso.py
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env python #!/usr/bin/env python
from ldap import filter
from ldap3 import Connection, Server, ANONYMOUS, SIMPLE, SYNC, ASYNC, core from ldap3 import Connection, Server, ANONYMOUS, SIMPLE, SYNC, ASYNC, core
from getpass import getpass from getpass import getpass
import configparser import configparser
@@ -105,16 +104,6 @@ else:
# Seafile url # Seafile url
seafileURL = ccnetConfig['General']['SERVICE_URL'] seafileURL = ccnetConfig['General']['SERVICE_URL']
# DB config
dbEngine = ccnetConfig['Database']['ENGINE']
dbHost = ccnetConfig['Database']['HOST']
dbPort = ccnetConfig['Database'].getint('PORT')
dbUser = ccnetConfig['Database']['USER']
dbPassword = ccnetConfig['Database']['PASSWD']
dbName = ccnetConfig['Database']['DB']
dbCharset = ccnetConfig['Database']['CONNECTION_CHARSET']
logger.debug("DB Engine: {0}, DB Host: {1}, DB Port: {2}, DB User: {3}, DB Name: {4}, DB Connection Charset: {5}".format(dbEngine, dbHost, dbPort, dbUser, dbName, dbCharset))
# ldap Config # ldap Config
ldapHost = ccnetConfig['LDAP']['HOST'] ldapHost = ccnetConfig['LDAP']['HOST']
#ldapPort = ccnetConfig['LDAP SERVER'].getint('port') #ldapPort = ccnetConfig['LDAP SERVER'].getint('port')
@@ -127,17 +116,6 @@ logger.debug("LDAP Host: {0}, LDAP Base: {1}, LDAP User DN: {2}, LDAP Filter: {3
logger.debug("Finished reading the ccnet.conf file.") logger.debug("Finished reading the ccnet.conf file.")
# Config DB Varaibles
dbconfig = {
'user': dbUser,
'password': dbPassword,
'host': dbHost,
'port': dbPort,
'database': dbName,
'charset': dbCharset,
'raise_on_warnings': True
}
# setup the server # setup the server
ldapServer = Server(ldapHost) ldapServer = Server(ldapHost)
logger.debug("Setup LDAP server connection uri: {0}".format(ldapServer)) logger.debug("Setup LDAP server connection uri: {0}".format(ldapServer))
@@ -150,92 +128,36 @@ logger.debug("Bind successful.")
# get seafile users and loop through and check group membership and disable or not # get seafile users and loop through and check group membership and disable or not
logger.debug("Starting query for users in Seafile")
seafileUsers = request('admin/users/', seafileURL, seafileToken)['response']['data']
# Get seafile users from LDAP
logger.debug("Searching for users that have a email address, are enabled, and in the {} group.".format(ldapFilter))
ldap.search(ldapBase, '(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))({0}))'.format(ldapFilter), attributes=['*'])
logger.debug("Found {0} LDAP users.".format(len(ldap.entries)))
ldapUsers = ldap.entries
for user in ldapUsers:
logger.debug("User: {0} - Email: {1} - UserDN: {2}".format(user.displayName, user.mail, user.distinguishedName))
# Starting query for seafile ldap users
seafileLDAPUsers = []
logger.debug("Starting query for LDAPUsers in Seafile")
seafileUsers = request('admin/search-user/?query=@{0}'.format(adminEmail.split("@")[1]), seafileURL, seafileToken)['response']['user_list']
# need to substract one from the len as the admin account is in the list # need to substract one from the len as the admin account is in the list
logger.debug("Found {0} Seafile LDAP users".format(len(seafileUsers)-1)) logger.debug("Found {0} Seafile users".format(len(seafileUsers)-1))
for seafileUser in seafileUsers: for seafileUser in seafileUsers:
if seafileUser['email'] == adminEmail: if seafileUser['email'] == adminEmail:
continue continue
else: else:
logger.debug("User: {0} - Active: {1}".format(seafileUser['email'], bool(seafileUser['is_active']))) logger.debug("User: {0} - Active: {1}".format(seafileUser['email'], bool(seafileUser['is_active'])))
seafileLDAPUsers.append(seafileUser) logger.debug("Checking if {0} user has an email, is active, and is in the seafile group")
ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileUser['email'], ldapFilter), attributes=['*'])
# Loop through the ldap users and make sure they are in the sql ldap users table
# if they are not in the sql table, insert a new row to add them
# if they are disabled in the sql table, enable them
for ldapUser in ldapUsers:
logger.debug("Searching if LDAP user {0} is in Seafile".format(ldapUser.mail))
checkSeafileUser = request('admin/search-user/?query={0}'.format(ldapUser.mail), seafileURL, seafileToken)['response']['user_list']
# loop through the results and make sure we match on the email
for seafileUser in checkSeafileUser:
if seafileUser['email'] == ldapUser.mail:
# User is in the sql table
# are they active
is_active = bool(seafileUser['is_active'])
# log the results
logger.debug("LDAP User {0} is already in Seafile, Is Active: {1}".format(ldapUser.mail, is_active))
# if user is not active, they should be
if not is_active:
logger.info("User {0} is NOT active in Seafile".format(ldapUser.mail))
# call the api to enable the user in seafile
enableSeafileUser = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response']
if enableSeafileUser['is_active']:
logger.info("User {0} was set to active in Seafile".format(ldapUser.mail))
else:
logger.error("There was an error setting user {0} to active in Seafile".format(ldapUser.mail))
# user is not in the SQL table
else:
logger.info("LDAP User {0} is NOT in Seafile".format(ldapUser.mail))
# add user to ldap table
cnx = mysql.connector.connect(**dbconfig)
cursor = cnx.cursor()
query = "INSERT INTO LDAPUsers (email, password, is_staff, is_active) VALUES ('{0}', '', {1}, {2})".format(ldapUser.mail, 0, 1)
logger.debug("Query: {0}".format(query))
cursor.execute(query)
cnx.commit()
row_count = cursor.rowcount
if row_count == 1:
logger.info("LDAP user {0} was added to the Seafile SQL Table".format(ldapUser.mail))
else:
logger.error("Failed to add LDAP user {0} to the Seafile SQL Table".format(ldapUser.mail))
cnx.close()
# Update seafile user profile with new name
updateSeafileUserName = request('admin/users/{0}/'.format(ldapUser.mail), seafileURL, seafileToken, "PUT", {"name": "{0}".format(ldapUser.displayName)})
if updateSeafileUserName['ok']:
logger.debug("User {0} name was updated to {1}".format(ldapUser.mail, ldapUser.displayName))
else:
logger.error("There was an error setting user {0} name to {1}".format(ldapUser.mail, ldapUser.displayName))
# Loop through the sql ldap users and disable those not in the ldap list
for seafileLDAPUser in seafileLDAPUsers:
if not seafileLDAPUser['is_active']:
logger.debug("User {0} is already disabled in Seafile".format(seafileLDAPUser['email']))
continue
logger.debug("Searching for user {0} that has an email address, are enabled, and in the {1} group.".format(seafileLDAPUser['email'], ldapFilter))
ldap.search(ldapBase, '(&(mail={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))({1}))'.format(seafileLDAPUser['email'], ldapFilter), attributes=['*'])
count = len(ldap.entries) count = len(ldap.entries)
logger.debug("Found {0} LDAP user.".format(count)) logger.debug("Found {0} LDAP user.".format(count))
if count == 0: if count == 0:
# User is not enabled, have email, or in the group, disable their account logger.debug("User {0} doesn't have an email, isn't active, or isn't in the seafile group, disabling in seafile...".format(seafileUser['email']))
disableUserinSeafile = request('admin/users/{0}/'.format(seafileLDAPUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response'] if not seafileUser['is_active']:
logger.debug("User {0} is already disabled in Seafile".format(seafileUser['email']))
continue
disableUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "false"})['response']
if not disableUserinSeafile['is_active']: if not disableUserinSeafile['is_active']:
logger.info("User {0} was set to disabled in Seafile".format(seafileLDAPUser['email'])) logger.info("User {0} was set to disabled in Seafile".format(seafileUser['email']))
else: else:
logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileLDAPUser['email'])) logger.error("There was an error setting user {0} to disabled in Seafile".format(seafileUser['email']))
else:
logger.debug("User {0} has an email, is active, and is in the seafile group".format(seafileUser['email']))
if seafileUser['is_active']:
logger.debug("User {0} is already active in Seafile".format(seafileUser['email']))
continue
ActiveUserinSeafile = request('admin/users/{0}/'.format(seafileUser['email']), seafileURL, seafileToken, "PUT", {"is_active": "true"})['response']
if not ActiveUserinSeafile['is_active']:
logger.info("User {0} was set to active in Seafile".format(seafileUser['email']))
else:
logger.error("There was an error setting user {0} to active in Seafile".format(seafileUser['email'])