From b74c5ac88395e39a9a81711f0613e1ff95f645d6 Mon Sep 17 00:00:00 2001 From: HugoPoi Date: Thu, 29 Aug 2019 22:52:48 +0200 Subject: [PATCH 1/5] Use Email header from SSOWat --- scripts/install | 6 ++++-- scripts/upgrade | 3 ++- sources/patches/arm-force_domain_email.patch | 1 - sources/patches/x86-64-force_domain_email.patch | 16 ---------------- 4 files changed, 6 insertions(+), 20 deletions(-) delete mode 120000 sources/patches/arm-force_domain_email.patch delete mode 100644 sources/patches/x86-64-force_domain_email.patch diff --git a/scripts/install b/scripts/install index 2de776f..bbbaec1 100644 --- a/scripts/install +++ b/scripts/install @@ -123,8 +123,9 @@ echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_set # SSO authentication echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py +echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py -echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py +echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py # LDAP configuration @@ -171,7 +172,8 @@ sleep 5 su - $seafile_user -s /bin/bash -c "$final_path/seafile-server-$seafile_version/seafile.sh start" # We escape all char witch needed. ynh_replace_special_string --match_string __ADMIN_PASSWORD__ --replace_string "$admin_password" --target_file $final_path/first_launch.exp -su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin@$domain" +admin_email=$(ynh_user_get_info $admin 'mail') +su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin_email" ynh_secure_remove --file="$final_path/first_launch.exp" #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 9590977..23b3cf4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -141,8 +141,9 @@ case $installed_version in expect_scripts/upgrade_7.0.exp $final_path/seafile-server-$seafile_version $root_pwd # SSO authentication echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py + echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py - echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py + echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py # Clean connexion from the SSO. If we don't do this we could have some when the user was loged by the old SSO auth mecanisme diff --git a/sources/patches/arm-force_domain_email.patch b/sources/patches/arm-force_domain_email.patch deleted file mode 120000 index 53cd67a..0000000 --- a/sources/patches/arm-force_domain_email.patch +++ /dev/null @@ -1 +0,0 @@ -x86-64-force_domain_email.patch \ No newline at end of file diff --git a/sources/patches/x86-64-force_domain_email.patch b/sources/patches/x86-64-force_domain_email.patch deleted file mode 100644 index 4feca54..0000000 --- a/sources/patches/x86-64-force_domain_email.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py -index 4ebbb98c4..ba468d073 100644 ---- a/seahub/seahub/base/accounts.py -+++ b/seahub/seahub/base/accounts.py -@@ -540,7 +540,11 @@ class User(object): - - class AuthBackend(object): - -+ allowed_domain = settings.REMOTE_USER_DOMAIN -+ - def get_user_with_import(self, username): -+ if '@' in username and self.allowed_domain != username.split('@')[1]: -+ raise User.DoesNotExist, 'Invalid domain for the email. Please use the seafile domain for the domain part of the email.' - emailuser = seaserv.get_emailuser_with_import(username) - if not emailuser: - raise User.DoesNotExist, 'User matching query does not exits.' From 28760cfe57e1b3d3161f385eeff0ca5dc0e7a632 Mon Sep 17 00:00:00 2001 From: HugoPoi Date: Sun, 3 Nov 2019 17:49:09 +0100 Subject: [PATCH 2/5] Remove sql user email migration from change-url (doesn't make sense anymore) --- scripts/change_url | 64 ---------------------------------------------- 1 file changed, 64 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index a29b4c2..06f8916 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -88,70 +88,6 @@ sed --in-place "s@REMOTE_USER_PROTECTED_PATH = \['$old_path', '$old_path/account ynh_script_progression --message="Updating seafile database" --weight=7 -# Update database - -# This fonction relplace all old domain name by the new domain name. -# use : mysql_relpace_db db_name table collum -mysql_relpace_db() { - sql_request='UPDATE `'"$2"'` SET '"$3 = replace($3, '$old_domain', '$domain')" - ynh_mysql_execute_as_root --sql "$sql_request" --database $1 -} - -# ccnet DB -mysql_relpace_db ccnetdb EmailUser email -mysql_relpace_db ccnetdb Group creator_name -mysql_relpace_db ccnetdb GroupUser user_name -mysql_relpace_db ccnetdb LDAPUsers email -mysql_relpace_db ccnetdb Organization creator -mysql_relpace_db ccnetdb OrgUser email -mysql_relpace_db ccnetdb UserRole email - -# seafile DB -mysql_relpace_db seafiledb OrgUserQuota user -mysql_relpace_db seafiledb RepoGroup user_name -mysql_relpace_db seafiledb RepoOwner owner_id -mysql_relpace_db seafiledb RepoTrash owner_id -mysql_relpace_db seafiledb RepoUserToken email -mysql_relpace_db seafiledb SharedRepo from_email -mysql_relpace_db seafiledb SharedRepo to_email -mysql_relpace_db seafiledb UserQuota user -mysql_relpace_db seafiledb UserShareQuota user - -# seahub DB -mysql_relpace_db seahubdb api2_token user -mysql_relpace_db seahubdb api2_tokenv2 user -mysql_relpace_db seahubdb avatar_avatar emailuser -mysql_relpace_db seahubdb base_clientlogintoken username -mysql_relpace_db seahubdb base_devicetoken user -mysql_relpace_db seahubdb base_filecomment author -mysql_relpace_db seahubdb base_innerpubmsg from_email -mysql_relpace_db seahubdb base_innerpubmsgreply from_email -mysql_relpace_db seahubdb base_userenabledmodule username -mysql_relpace_db seahubdb base_userlastlogin username -mysql_relpace_db seahubdb base_userstarredfiles email -mysql_relpace_db seahubdb group_groupmessage from_email -mysql_relpace_db seahubdb group_messagereply from_email -mysql_relpace_db seahubdb institutions_institutionadmin user -mysql_relpace_db seahubdb notifications_usernotification to_user -mysql_relpace_db seahubdb options_useroptions email -mysql_relpace_db seahubdb post_office_attachment_emails email_id -mysql_relpace_db seahubdb post_office_email from_email -mysql_relpace_db seahubdb profile_profile user -mysql_relpace_db seahubdb profile_profile login_id -mysql_relpace_db seahubdb profile_profile contact_email -mysql_relpace_db seahubdb registration_registrationprofile emailuser_id -mysql_relpace_db seahubdb share_anonymousshare repo_owner -mysql_relpace_db seahubdb share_fileshare username -mysql_relpace_db seahubdb share_privatefiledirshare from_user -mysql_relpace_db seahubdb share_privatefiledirshare to_user -mysql_relpace_db seahubdb share_uploadlinkshare username -mysql_relpace_db seahubdb sysadmin_extra_userloginlog username -mysql_relpace_db seahubdb termsandconditions_usertermsandconditions username -mysql_relpace_db seahubdb two_factor_phonedevice user -mysql_relpace_db seahubdb two_factor_staticdevice user -mysql_relpace_db seahubdb two_factor_totpdevice user -mysql_relpace_db seahubdb wiki_personalwiki username - # Avoid the current effect sleep 2 From f86b6b6ee1a700ee784b7e675552bda862d81ef3 Mon Sep 17 00:00:00 2001 From: HugoPoi Date: Tue, 5 Nov 2019 19:47:16 +0100 Subject: [PATCH 3/5] Add Move user's libraries action for solving migration issues --- actions.json | 20 ++++++++++++++++++++ scripts/_common.sh | 2 ++ sources/move_library.py | 29 +++++++++++++++++++++++++++++ sources/seafile_api_loader.sh | 22 ++++++++++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 actions.json create mode 100644 sources/move_library.py create mode 100755 sources/seafile_api_loader.sh diff --git a/actions.json b/actions.json new file mode 100644 index 0000000..4190bcb --- /dev/null +++ b/actions.json @@ -0,0 +1,20 @@ +[{ + "id": "move_all_libraries", + "name": "Move user's libraries", + "command": "/opt/yunohost/seafile/seafile_api_loader.sh /opt/yunohost/seafile/move_library.py $YNH_ACTION_USER_TO_MIGRATE", + "user": "root", + "accepted_return_codes": [0], + "description": { + "en": "WARNING: Only use this feature if you know what you do.\n This action is only needed if you have installed Seafile before the version 7 AND your Seafile instance was installed under other domain than the user accounts. Move all user's libraries to the correct account, this action exists only for handling old created account with the old SSO behavior.\n See https://github.com/YunoHost-Apps/seafile_ynh/issues/44 for more information." + }, + "arguments": [ + { + "name": "user_to_migrate", + "type": "user", + "ask": { + "en": "User account to be migrate from the old to the new behavior" + }, + "example": "bob@ynh.local" + } + ] +}] diff --git a/scripts/_common.sh b/scripts/_common.sh index 74b35c3..bdaa500 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -17,6 +17,8 @@ install_source() { ynh_die --message "Error : this architecture is no longer supported by the upstream. Please create en issue here : https://github.com/YunoHost-Apps/seafile_ynh/issues to ask to discuss about a support of this architecture" fi ynh_setup_source "$final_path/seafile-server-$seafile_version" "$architecture" + cp ../sources/seafile_api_loader.sh $final_path/ + cp ../sources/move_library.py $final_path/ } install_dependance() { diff --git a/sources/move_library.py b/sources/move_library.py new file mode 100644 index 0000000..b2fa7ae --- /dev/null +++ b/sources/move_library.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python + +import sys +import os +from seaserv import seafile_api, ccnet_api + +seafile_local_emails = map(lambda user: user.email, ccnet_api.get_emailusers('DB', start=-1, limit=-1, is_active=None)) +active_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAPImport', start=-1, limit=-1, is_active=True)) +ldap_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAP', start=-1, limit=-1, is_active=None)) +non_active_user_emails = list(set(ldap_user_emails) - set(active_user_emails)) + +seafile_domain = os.environ['SEAFILE_CURRENT_DOMAIN'] +source_user = sys.argv[1] +source_user_email = source_user + '@' + seafile_domain +assert (source_user_email in seafile_local_emails), 'The user must be in local seafile users list' + +# TODO we might want to use non_active_user_emails in place of ldap_user_emails here +filtered_potencial_target_users = list(filter(lambda email: email.startswith(source_user + '@'), ldap_user_emails)) +assert (not len(filtered_potencial_target_users) > 1), 'This user have multiple target possible can\'t continue' +assert (len(filtered_potencial_target_users) == 1), 'This user doesn\'t have any possible match in Yunohost LDAP' + +target_user_email = filtered_potencial_target_users[0] + +ccnet_api.get_emailuser_with_import(target_user_email) + +source_repositories = seafile_api.get_owned_repo_list(source_user_email); + +for repo in source_repositories: + seafile_api.set_repo_owner(repo.id, target_user_email) diff --git a/sources/seafile_api_loader.sh b/sources/seafile_api_loader.sh new file mode 100755 index 0000000..d9a8847 --- /dev/null +++ b/sources/seafile_api_loader.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Source YunoHost helpers +source /usr/share/yunohost/helpers + +# Stop script if errors +#ynh_abort_if_errors + +# Import common cmd +#source ./experimental_helper.sh +#source ./_common.sh + +final_path=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key final_path) + +export SEAFILE_CURRENT_DOMAIN=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key domain) +export CCNET_CONF_DIR=$final_path/ccnet +export SEAFILE_CONF_DIR=$final_path/conf +export SEAFILE_CENTRAL_CONF_DIR=$final_path/conf + +export PYTHONPATH=$final_path/seafile-server-latest/seafile/lib/python2.7/site-packages:$final_path/seafile-server-latest/seafile/lib64/python2.7/site-packages:$PYTHONPATH + +python $* From a8c41eb09cf75aa60f107d0c2044cde3fcf8be3b Mon Sep 17 00:00:00 2001 From: HugoPoi Date: Wed, 6 Nov 2019 11:55:25 +0100 Subject: [PATCH 4/5] Delete the local user after migrate libraries, minor review change --- actions.json | 2 +- scripts/install | 2 +- sources/move_library.py | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/actions.json b/actions.json index 4190bcb..44e4135 100644 --- a/actions.json +++ b/actions.json @@ -14,7 +14,7 @@ "ask": { "en": "User account to be migrate from the old to the new behavior" }, - "example": "bob@ynh.local" + "example": "bob@domain.tld" } ] }] diff --git a/scripts/install b/scripts/install index bbbaec1..6e80122 100644 --- a/scripts/install +++ b/scripts/install @@ -172,7 +172,7 @@ sleep 5 su - $seafile_user -s /bin/bash -c "$final_path/seafile-server-$seafile_version/seafile.sh start" # We escape all char witch needed. ynh_replace_special_string --match_string __ADMIN_PASSWORD__ --replace_string "$admin_password" --target_file $final_path/first_launch.exp -admin_email=$(ynh_user_get_info $admin 'mail') +admin_email=$(ynh_user_get_info --username $admin --key 'mail') su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin_email" ynh_secure_remove --file="$final_path/first_launch.exp" diff --git a/sources/move_library.py b/sources/move_library.py index b2fa7ae..0ecbd72 100644 --- a/sources/move_library.py +++ b/sources/move_library.py @@ -27,3 +27,5 @@ source_repositories = seafile_api.get_owned_repo_list(source_user_email); for repo in source_repositories: seafile_api.set_repo_owner(repo.id, target_user_email) + +ccnet_api.remove_emailuser('DB', source_user_email) From 981372525f7403f67831941ff32afbdbc41b574c Mon Sep 17 00:00:00 2001 From: HugoPoi Date: Wed, 6 Nov 2019 11:57:26 +0100 Subject: [PATCH 5/5] Change README.md regarding PR #49 --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 705c01b..3409154 100644 --- a/README.md +++ b/README.md @@ -47,11 +47,9 @@ YunoHost specific features This app support LDAP and the SSO authentification. -The restriction is that the user ID in this app is an email address. So it's potentially possible to have multiple user account with the same username. By example you can have `john@yunohost.org` and `john@seafile.org`. You can see the issue [#5](https://github.com/YunoHost-Apps/seafile_ynh/issues/5) wich describe this problem. You can check that you are not in this case if by going in seafile admin page in the user tab can see all account. - -The best configuration is to give to each user an email which contains the domain used by seafile. - -**To fix this issue seahub don't allow any authentication from a user different than "username@seafile_domain.tld".** +If you have Seafile installed before 7.x and you have more than one domain for users in Yunohost or Seafile app is installed on a different domain, you need to migrate accounts. +You can use the provided action at https://domain.tld/yunohost/admin/#/apps/seafile/actions. See [issue#44](https://github.com/YunoHost-Apps/seafile_ynh/issues/44) +for more information. ### Supported architectures @@ -73,7 +71,7 @@ Additional informations ### Change URL -Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation. For the authentication and user every email for authentication will have the new domain name. For example `toto@old_domain.tld` will be `toto@new_domain.tld`. +Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation. To do this run : `yunohost app change-url seafile -d new_domain.tld -p PATH new_path