mirror of
https://github.com/YunoHost-Apps/seafile_ynh.git
synced 2024-09-03 20:26:01 +02:00
Merge branch 'use-main-email-for-sso' into full_upgrade
This commit is contained in:
Josué Tille
commit
eaa5281445
10 changed files with 85 additions and 90 deletions
10
README.md
10
README.md
|
|
@ -47,11 +47,9 @@ YunoHost specific features
|
|||
|
||||
This app support LDAP and the SSO authentification.
|
||||
|
||||
The restriction is that the user ID in this app is an email address. So it's potentially possible to have multiple user account with the same username. By example you can have `john@yunohost.org` and `john@seafile.org`. You can see the issue [#5](https://github.com/YunoHost-Apps/seafile_ynh/issues/5) wich describe this problem. You can check that you are not in this case if by going in seafile admin page in the user tab can see all account.
|
||||
|
||||
The best configuration is to give to each user an email which contains the domain used by seafile.
|
||||
|
||||
**To fix this issue seahub don't allow any authentication from a user different than "username@seafile_domain.tld".**
|
||||
If you have Seafile installed before 7.x and you have more than one domain for users in Yunohost or Seafile app is installed on a different domain, you need to migrate accounts.
|
||||
You can use the provided action at https://domain.tld/yunohost/admin/#/apps/seafile/actions. See [issue#44](https://github.com/YunoHost-Apps/seafile_ynh/issues/44)
|
||||
for more information.
|
||||
|
||||
### Supported architectures
|
||||
|
||||
|
|
@ -73,7 +71,7 @@ Additional informations
|
|||
|
||||
### Change URL
|
||||
|
||||
Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation. For the authentication and user every email for authentication will have the new domain name. For example `toto@old_domain.tld` will be `toto@new_domain.tld`.
|
||||
Since now it's possible to change domain or the url of seafile but use it with precaution because it has not been tested enough for a big production installation.
|
||||
|
||||
To do this run : `yunohost app change-url seafile -d new_domain.tld -p PATH new_path
|
||||
|
||||
|
|
|
|||
20
actions.json
Normal file
20
actions.json
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
[{
|
||||
"id": "move_all_libraries",
|
||||
"name": "Move user's libraries",
|
||||
"command": "/opt/yunohost/seafile/seafile_api_loader.sh /opt/yunohost/seafile/move_library.py $YNH_ACTION_USER_TO_MIGRATE",
|
||||
"user": "root",
|
||||
"accepted_return_codes": [0],
|
||||
"description": {
|
||||
"en": "WARNING: Only use this feature if you know what you do.\n This action is only needed if you have installed Seafile before the version 7 AND your Seafile instance was installed under other domain than the user accounts. Move all user's libraries to the correct account, this action exists only for handling old created account with the old SSO behavior.\n See https://github.com/YunoHost-Apps/seafile_ynh/issues/44 for more information."
|
||||
},
|
||||
"arguments": [
|
||||
{
|
||||
"name": "user_to_migrate",
|
||||
"type": "user",
|
||||
"ask": {
|
||||
"en": "User account to be migrate from the old to the new behavior"
|
||||
},
|
||||
"example": "bob@domain.tld"
|
||||
}
|
||||
]
|
||||
}]
|
||||
|
|
@ -17,6 +17,8 @@ install_source() {
|
|||
ynh_die --message "Error : this architecture is no longer supported by the upstream. Please create en issue here : https://github.com/YunoHost-Apps/seafile_ynh/issues to ask to discuss about a support of this architecture"
|
||||
fi
|
||||
ynh_setup_source "$final_path/seafile-server-$seafile_version" "$architecture"
|
||||
cp ../sources/seafile_api_loader.sh $final_path/
|
||||
cp ../sources/move_library.py $final_path/
|
||||
}
|
||||
|
||||
install_dependance() {
|
||||
|
|
|
|||
|
|
@ -88,70 +88,6 @@ sed --in-place "s@REMOTE_USER_PROTECTED_PATH = \['$old_path', '$old_path/account
|
|||
|
||||
ynh_script_progression --message="Updating seafile database" --weight=7
|
||||
|
||||
# Update database
|
||||
|
||||
# This fonction relplace all old domain name by the new domain name.
|
||||
# use : mysql_relpace_db db_name table collum
|
||||
mysql_relpace_db() {
|
||||
sql_request='UPDATE `'"$2"'` SET '"$3 = replace($3, '$old_domain', '$domain')"
|
||||
ynh_mysql_execute_as_root --sql "$sql_request" --database $1
|
||||
}
|
||||
|
||||
# ccnet DB
|
||||
mysql_relpace_db ccnetdb EmailUser email
|
||||
mysql_relpace_db ccnetdb Group creator_name
|
||||
mysql_relpace_db ccnetdb GroupUser user_name
|
||||
mysql_relpace_db ccnetdb LDAPUsers email
|
||||
mysql_relpace_db ccnetdb Organization creator
|
||||
mysql_relpace_db ccnetdb OrgUser email
|
||||
mysql_relpace_db ccnetdb UserRole email
|
||||
|
||||
# seafile DB
|
||||
mysql_relpace_db seafiledb OrgUserQuota user
|
||||
mysql_relpace_db seafiledb RepoGroup user_name
|
||||
mysql_relpace_db seafiledb RepoOwner owner_id
|
||||
mysql_relpace_db seafiledb RepoTrash owner_id
|
||||
mysql_relpace_db seafiledb RepoUserToken email
|
||||
mysql_relpace_db seafiledb SharedRepo from_email
|
||||
mysql_relpace_db seafiledb SharedRepo to_email
|
||||
mysql_relpace_db seafiledb UserQuota user
|
||||
mysql_relpace_db seafiledb UserShareQuota user
|
||||
|
||||
# seahub DB
|
||||
mysql_relpace_db seahubdb api2_token user
|
||||
mysql_relpace_db seahubdb api2_tokenv2 user
|
||||
mysql_relpace_db seahubdb avatar_avatar emailuser
|
||||
mysql_relpace_db seahubdb base_clientlogintoken username
|
||||
mysql_relpace_db seahubdb base_devicetoken user
|
||||
mysql_relpace_db seahubdb base_filecomment author
|
||||
mysql_relpace_db seahubdb base_innerpubmsg from_email
|
||||
mysql_relpace_db seahubdb base_innerpubmsgreply from_email
|
||||
mysql_relpace_db seahubdb base_userenabledmodule username
|
||||
mysql_relpace_db seahubdb base_userlastlogin username
|
||||
mysql_relpace_db seahubdb base_userstarredfiles email
|
||||
mysql_relpace_db seahubdb group_groupmessage from_email
|
||||
mysql_relpace_db seahubdb group_messagereply from_email
|
||||
mysql_relpace_db seahubdb institutions_institutionadmin user
|
||||
mysql_relpace_db seahubdb notifications_usernotification to_user
|
||||
mysql_relpace_db seahubdb options_useroptions email
|
||||
mysql_relpace_db seahubdb post_office_attachment_emails email_id
|
||||
mysql_relpace_db seahubdb post_office_email from_email
|
||||
mysql_relpace_db seahubdb profile_profile user
|
||||
mysql_relpace_db seahubdb profile_profile login_id
|
||||
mysql_relpace_db seahubdb profile_profile contact_email
|
||||
mysql_relpace_db seahubdb registration_registrationprofile emailuser_id
|
||||
mysql_relpace_db seahubdb share_anonymousshare repo_owner
|
||||
mysql_relpace_db seahubdb share_fileshare username
|
||||
mysql_relpace_db seahubdb share_privatefiledirshare from_user
|
||||
mysql_relpace_db seahubdb share_privatefiledirshare to_user
|
||||
mysql_relpace_db seahubdb share_uploadlinkshare username
|
||||
mysql_relpace_db seahubdb sysadmin_extra_userloginlog username
|
||||
mysql_relpace_db seahubdb termsandconditions_usertermsandconditions username
|
||||
mysql_relpace_db seahubdb two_factor_phonedevice user
|
||||
mysql_relpace_db seahubdb two_factor_staticdevice user
|
||||
mysql_relpace_db seahubdb two_factor_totpdevice user
|
||||
mysql_relpace_db seahubdb wiki_personalwiki username
|
||||
|
||||
# Avoid the current effect
|
||||
sleep 2
|
||||
|
||||
|
|
|
|||
|
|
@ -123,8 +123,9 @@ echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_set
|
|||
|
||||
# SSO authentication
|
||||
echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py
|
||||
|
||||
# LDAP configuration
|
||||
|
|
@ -172,7 +173,8 @@ ynh_debug_exec ls /opt/yunohost/seafile/ccnet
|
|||
su - $seafile_user -s /bin/bash -c "$final_path/seafile-server-$seafile_version/seafile.sh start"
|
||||
# We escape all char witch needed.
|
||||
ynh_replace_special_string --match_string __ADMIN_PASSWORD__ --replace_string "$admin_password" --target_file $final_path/first_launch.exp
|
||||
su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin@$domain"
|
||||
admin_email=$(ynh_user_get_info --username $admin --key 'mail')
|
||||
su - $seafile_user -s /bin/bash -c "$final_path/first_launch.exp $final_path/seafile-server-$seafile_version $admin_email"
|
||||
ynh_secure_remove --file="$final_path/first_launch.exp"
|
||||
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -144,8 +144,9 @@ case $installed_version in
|
|||
expect_scripts/upgrade_7.0.exp $final_path/seafile-server-$seafile_version $root_pwd
|
||||
# SSO authentication
|
||||
echo 'ENABLE_REMOTE_USER_AUTHENTICATION = True' | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_HEADER = 'HTTP_EMAIL'" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo 'REMOTE_USER_CREATE_UNKNOWN_USER = False' | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_DOMAIN = '$domain'" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_DOMAIN = ''" | tee -a $final_path/conf/seahub_settings.py
|
||||
echo "REMOTE_USER_PROTECTED_PATH = ['$path_url', '$path_url/accounts/login']" | tee -a $final_path/conf/seahub_settings.py
|
||||
|
||||
# Clean connexion from the SSO. If we don't do this we could have some when the user was loged by the old SSO auth mecanisme
|
||||
|
|
|
|||
31
sources/move_library.py
Normal file
31
sources/move_library.py
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import sys
|
||||
import os
|
||||
from seaserv import seafile_api, ccnet_api
|
||||
|
||||
seafile_local_emails = map(lambda user: user.email, ccnet_api.get_emailusers('DB', start=-1, limit=-1, is_active=None))
|
||||
active_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAPImport', start=-1, limit=-1, is_active=True))
|
||||
ldap_user_emails = map(lambda user: user.email, ccnet_api.get_emailusers(source='LDAP', start=-1, limit=-1, is_active=None))
|
||||
non_active_user_emails = list(set(ldap_user_emails) - set(active_user_emails))
|
||||
|
||||
seafile_domain = os.environ['SEAFILE_CURRENT_DOMAIN']
|
||||
source_user = sys.argv[1]
|
||||
source_user_email = source_user + '@' + seafile_domain
|
||||
assert (source_user_email in seafile_local_emails), 'The user must be in local seafile users list'
|
||||
|
||||
# TODO we might want to use non_active_user_emails in place of ldap_user_emails here
|
||||
filtered_potencial_target_users = list(filter(lambda email: email.startswith(source_user + '@'), ldap_user_emails))
|
||||
assert (not len(filtered_potencial_target_users) > 1), 'This user have multiple target possible can\'t continue'
|
||||
assert (len(filtered_potencial_target_users) == 1), 'This user doesn\'t have any possible match in Yunohost LDAP'
|
||||
|
||||
target_user_email = filtered_potencial_target_users[0]
|
||||
|
||||
ccnet_api.get_emailuser_with_import(target_user_email)
|
||||
|
||||
source_repositories = seafile_api.get_owned_repo_list(source_user_email);
|
||||
|
||||
for repo in source_repositories:
|
||||
seafile_api.set_repo_owner(repo.id, target_user_email)
|
||||
|
||||
ccnet_api.remove_emailuser('DB', source_user_email)
|
||||
|
|
@ -1 +0,0 @@
|
|||
x86-64-force_domain_email.patch
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py
|
||||
index 4ebbb98c4..ba468d073 100644
|
||||
--- a/seahub/seahub/base/accounts.py
|
||||
+++ b/seahub/seahub/base/accounts.py
|
||||
@@ -540,7 +540,11 @@ class User(object):
|
||||
|
||||
class AuthBackend(object):
|
||||
|
||||
+ allowed_domain = settings.REMOTE_USER_DOMAIN
|
||||
+
|
||||
def get_user_with_import(self, username):
|
||||
+ if '@' in username and self.allowed_domain != username.split('@')[1]:
|
||||
+ raise User.DoesNotExist, 'Invalid domain for the email. Please use the seafile domain for the domain part of the email.'
|
||||
emailuser = seaserv.get_emailuser_with_import(username)
|
||||
if not emailuser:
|
||||
raise User.DoesNotExist, 'User matching query does not exits.'
|
||||
22
sources/seafile_api_loader.sh
Executable file
22
sources/seafile_api_loader.sh
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source YunoHost helpers
|
||||
source /usr/share/yunohost/helpers
|
||||
|
||||
# Stop script if errors
|
||||
#ynh_abort_if_errors
|
||||
|
||||
# Import common cmd
|
||||
#source ./experimental_helper.sh
|
||||
#source ./_common.sh
|
||||
|
||||
final_path=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key final_path)
|
||||
|
||||
export SEAFILE_CURRENT_DOMAIN=$(ynh_app_setting_get --app $YNH_APP_INSTANCE_NAME --key domain)
|
||||
export CCNET_CONF_DIR=$final_path/ccnet
|
||||
export SEAFILE_CONF_DIR=$final_path/conf
|
||||
export SEAFILE_CENTRAL_CONF_DIR=$final_path/conf
|
||||
|
||||
export PYTHONPATH=$final_path/seafile-server-latest/seafile/lib/python2.7/site-packages:$final_path/seafile-server-latest/seafile/lib64/python2.7/site-packages:$PYTHONPATH
|
||||
|
||||
python $*
|
||||
Loading…
Reference in a new issue