Merge branch 'use-main-email-for-sso' into full_upgrade

This commit is contained in:
Josué Tille 2019-12-01 14:22:05 +01:00
commit eaa5281445
No known key found for this signature in database
GPG key ID: 716A6C99B04194EF
10 changed files with 85 additions and 90 deletions

View file

@ -47,11 +47,9 @@ YunoHost specific features
This app support LDAP and the SSO authentification. This app support LDAP and the SSO authentification.
The restriction is that the user ID in this app is an email address. So it's potentially possible to have multiple user account with the same username. By example you can have `john@yunohost.org` and `john@seafile.org`. You can see the issue [#5](https://github.com/YunoHost-Apps/seafile_ynh/issues/5) wich describe this problem. You can check that you are not in this case if by going in seafile admin page in the user tab can see all account. If you have Seafile installed before 7.x and you have more than one domain for users in Yunohost or Seafile app is installed on a different domain, you need to migrate accounts.
You can use the provided action at https://domain.tld/yunohost/admin/#/apps/seafile/actions. See [issue#44](https://github.com/YunoHost-Apps/seafile_ynh/issues/44)
The best configuration is to give to each user an email which contains the domain used by seafile. for more information.
**To fix this issue seahub don't allow any authentication from a user different than "username@seafile_domain.tld".**
### Supported architectures ### Supported architectures
@ -73,7 +71,7 @@ Additional informations
### Change URL ### Change URL
Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation. For the authentication and user every email for authentication will have the new domain name. For example `toto@old_domain.tld` will be `toto@new_domain.tld`. Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation.
To do this run : `yunohost app change-url seafile -d new_domain.tld -p PATH new_path To do this run : `yunohost app change-url seafile -d new_domain.tld -p PATH new_path

20
actions.json Normal file
View file

@ -0,0 +1,20 @@
[{
"id": "move_all_libraries",
"name": "Move user's libraries",
"command": "/opt/yunohost/seafile/seafile_api_loader.sh /opt/yunohost/seafile/move_library.py $YNH_ACTION_USER_TO_MIGRATE",
"user": "root",
"accepted_return_codes": [0],
"description": {
"en": "WARNING: Only use this feature if you know what you do.\n This action is only needed if you have installed Seafile before the version 7 AND your Seafile instance was installed under other domain than the user accounts. Move all user's libraries to the correct account, this action exists only for handling old created account with the old SSO behavior.\n See https://github.com/YunoHost-Apps/seafile_ynh/issues/44 for more information."
},
"arguments": [
{
"name": "user_to_migrate",
"type": "user",
"ask": {
"en": "User account to be migrate from the old to the new behavior"
},
"example": "bob@domain.tld"
}
]
}]

View file

@ -17,6 +17,8 @@ install_source() {
ynh_die --message "Error : this architecture is no longer supported by the upstream. Please create en issue here : https://github.com/YunoHost-Apps/seafile_ynh/issues to ask to discuss about a support of this architecture" ynh_die --message "Error : this architecture is no longer supported by the upstream. Please create en issue here : https://github.com/YunoHost-Apps/seafile_ynh/issues to ask to discuss about a support of this architecture"
fi fi
ynh_setup_source "$final_path/seafile-server-$seafile_version" "$architecture" ynh_setup_source "$final_path/seafile-server-$seafile_version" "$architecture"
cp ../sources/seafile_api_loader.sh $final_path/
cp ../sources/move_library.py $final_path/
} }
install_dependance() { install_dependance() {

View file

@ -88,70 +88,6 @@ sed --in-place "s@REMOTE_USER_PROTECTED_PATH = \['$old_path', '$old_path/account
ynh_script_progression --message="Updating seafile database" --weight=7 ynh_script_progression --message="Updating seafile database" --weight=7
# Update database
# This fonction relplace all old domain name by the new domain name.
# use : mysql_relpace_db db_name table collum
mysql_relpace_db() {
sql_request='UPDATE `'"$2"'` SET '"$3 = replace($3, '$old_domain', '$domain')"
ynh_mysql_execute_as_root --sql "$sql_request" --database $1
}
# ccnet DB
mysql_relpace_db ccnetdb EmailUser email
mysql_relpace_db ccnetdb Group creator_name
mysql_relpace_db ccnetdb GroupUser user_name
mysql_relpace_db ccnetdb LDAPUsers email
mysql_relpace_db ccnetdb Organization creator
mysql_relpace_db ccnetdb OrgUser email
mysql_relpace_db ccnetdb UserRole email
# seafile DB
mysql_relpace_db seafiledb OrgUserQuota user
mysql_relpace_db seafiledb RepoGroup user_name
mysql_relpace_db seafiledb RepoOwner owner_id
mysql_relpace_db seafiledb RepoTrash owner_id
mysql_relpace_db seafiledb RepoUserToken email
mysql_relpace_db seafiledb SharedRepo from_email
mysql_relpace_db seafiledb SharedRepo to_email
mysql_relpace_db seafiledb UserQuota user
mysql_relpace_db seafiledb UserShareQuota user
# seahub DB
mysql_relpace_db seahubdb api2_token user
mysql_relpace_db seahubdb api2_tokenv2 user
mysql_relpace_db seahubdb avatar_avatar emailuser
mysql_relpace_db seahubdb base_clientlogintoken username
mysql_relpace_db seahubdb base_devicetoken user
mysql_relpace_db seahubdb base_filecomment author
mysql_relpace_db seahubdb base_innerpubmsg from_email
mysql_relpace_db seahubdb base_innerpubmsgreply from_email
mysql_relpace_db seahubdb base_userenabledmodule username
mysql_relpace_db seahubdb base_userlastlogin username
mysql_relpace_db seahubdb base_userstarredfiles email
mysql_relpace_db seahubdb group_groupmessage from_email
mysql_relpace_db seahubdb group_messagereply from_email
mysql_relpace_db seahubdb institutions_institutionadmin user
mysql_relpace_db seahubdb notifications_usernotification to_user
mysql_relpace_db seahubdb options_useroptions email
mysql_relpace_db seahubdb post_office_attachment_emails email_id
mysql_relpace_db seahubdb post_office_email from_email
mysql_relpace_db seahubdb profile_profile user
mysql_relpace_db seahubdb profile_profile login_id
mysql_relpace_db seahubdb profile_profile contact_email
mysql_relpace_db seahubdb registration_registrationprofile emailuser_id
mysql_relpace_db seahubdb share_anonymousshare repo_owner
mysql_relpace_db seahubdb share_fileshare username
mysql_relpace_db seahubdb share_privatefiledirshare from_user
mysql_relpace_db seahubdb share_privatefiledirshare to_user
mysql_relpace_db seahubdb share_uploadlinkshare username
mysql_relpace_db seahubdb sysadmin_extra_userloginlog username
mysql_relpace_db seahubdb termsandconditions_usertermsandconditions username
mysql_relpace_db seahubdb two_factor_phonedevice user
mysql_relpace_db seahubdb two_factor_staticdevice user
mysql_relpace_db seahubdb two_factor_totpdevice user
mysql_relpace_db seahubdb wiki_personalwiki username
# Avoid the current effect # Avoid the current effect
sleep 2 sleep 2

View file

@ -123,8 +123,9 @@ echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_set
# SSO authentication # SSO authentication
echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py
echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py
# LDAP configuration # LDAP configuration
@ -172,7 +173,8 @@ ynh_debug_exec ls /opt/yunohost/seafile/ccnet
su - $seafile_user -s /bin/bash -c "$final_path/seafile-server-$seafile_version/seafile.sh start" su - $seafile_user -s /bin/bash -c "$final_path/seafile-server-$seafile_version/seafile.sh start"
# We escape all char witch needed. # We escape all char witch needed.
ynh_replace_special_string --match_string __ADMIN_PASSWORD__ --replace_string "$admin_password" --target_file $final_path/first_launch.exp ynh_replace_special_string --match_string __ADMIN_PASSWORD__ --replace_string "$admin_password" --target_file $final_path/first_launch.exp
su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin@$domain" admin_email=$(ynh_user_get_info --username $admin --key 'mail')
su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin_email"
ynh_secure_remove --file="$final_path/first_launch.exp" ynh_secure_remove --file="$final_path/first_launch.exp"
#================================================= #=================================================

View file

@ -144,8 +144,9 @@ case $installed_version in
expect_scripts/upgrade_7.0.exp $final_path/seafile-server-$seafile_version $root_pwd expect_scripts/upgrade_7.0.exp $final_path/seafile-server-$seafile_version $root_pwd
# SSO authentication # SSO authentication
echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py
echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py
echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py
# Clean connexion from the SSO. If we don't do this we could have some when the user was loged by the old SSO auth mecanisme # Clean connexion from the SSO. If we don't do this we could have some when the user was loged by the old SSO auth mecanisme

31
sources/move_library.py Normal file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env python
import sys
import os
from seaserv import seafile_api, ccnet_api
seafile_local_emails = map(lambda user: user.email, ccnet_api.get_emailusers('DB', start=-1, limit=-1, is_active=None))
active_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAPImport', start=-1, limit=-1, is_active=True))
ldap_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAP', start=-1, limit=-1, is_active=None))
non_active_user_emails = list(set(ldap_user_emails) - set(active_user_emails))
seafile_domain = os.environ['SEAFILE_CURRENT_DOMAIN']
source_user = sys.argv[1]
source_user_email = source_user + '@' + seafile_domain
assert (source_user_email in seafile_local_emails), 'The user must be in local seafile users list'
# TODO we might want to use non_active_user_emails in place of ldap_user_emails here
filtered_potencial_target_users = list(filter(lambda email: email.startswith(source_user + '@'), ldap_user_emails))
assert (not len(filtered_potencial_target_users) > 1), 'This user have multiple target possible can\'t continue'
assert (len(filtered_potencial_target_users) == 1), 'This user doesn\'t have any possible match in Yunohost LDAP'
target_user_email = filtered_potencial_target_users[0]
ccnet_api.get_emailuser_with_import(target_user_email)
source_repositories = seafile_api.get_owned_repo_list(source_user_email);
for repo in source_repositories:
seafile_api.set_repo_owner(repo.id, target_user_email)
ccnet_api.remove_emailuser('DB', source_user_email)

View file

@ -1 +0,0 @@
x86-64-force_domain_email.patch

View file

@ -1,16 +0,0 @@
diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py
index 4ebbb98c4..ba468d073 100644
--- a/seahub/seahub/base/accounts.py
+++ b/seahub/seahub/base/accounts.py
@@ -540,7 +540,11 @@ class User(object):
class AuthBackend(object):
+ allowed_domain = settings.REMOTE_USER_DOMAIN
+
def get_user_with_import(self, username):
+ if '@' in username and self.allowed_domain != username.split('@')[1]:
+ raise User.DoesNotExist, 'Invalid domain for the email. Please use the seafile domain for the domain part of the email.'
emailuser = seaserv.get_emailuser_with_import(username)
if not emailuser:
raise User.DoesNotExist, 'User matching query does not exits.'

22
sources/seafile_api_loader.sh Executable file
View file

@ -0,0 +1,22 @@
#!/bin/bash
# Source YunoHost helpers
source /usr/share/yunohost/helpers
# Stop script if errors
#ynh_abort_if_errors
# Import common cmd
#source ./experimental_helper.sh
#source ./_common.sh
final_path=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key final_path)
export SEAFILE_CURRENT_DOMAIN=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key domain)
export CCNET_CONF_DIR=$final_path/ccnet
export SEAFILE_CONF_DIR=$final_path/conf
export SEAFILE_CENTRAL_CONF_DIR=$final_path/conf
export PYTHONPATH=$final_path/seafile-server-latest/seafile/lib/python2.7/site-packages:$final_path/seafile-server-latest/seafile/lib64/python2.7/site-packages:$PYTHONPATH
python $*