Update for closed regsitration release

This commit is contained in:
Johannes Zellner 2024-02-23 16:45:18 +01:00
parent 6fa11cf195
commit 0c77e8c32a
6 changed files with 12 additions and 78 deletions

View file

@ -16,7 +16,6 @@
"postgresql": {},
"redis": {},
"sendmail": {},
"ldap": {},
"oidc": { "loginRedirectUri": "/auth/auth/openid_connect/callback" },
"scheduler": {
"cleanup": {

View file

@ -69,9 +69,7 @@ RUN ln -sf /run/mastodon/supervisord.log /var/log/supervisor/supervisord.log
RUN ln -fs /app/data/env.production /app/code/.env.production
RUN ln -fs /app/data/system /app/code/public/system
COPY migrateUsers.js start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
RUN chmod +x /app/pkg/migrateUsers.js
COPY start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
CMD [ "/app/pkg/start.sh" ]

View file

@ -1,4 +1,6 @@
Accounts are created with the username and the subdomain under which this app is installed e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-FQDN`. Mastodon does not allow changing the domain part of the account later. See [the docs](https://docs.cloudron.io/apps/mastodon/#federation) for more information, if you want to change this domain.
Accounts are created with the username and the subdomain under which this app is installed e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-FQDN`.
Mastodon does not allow changing the domain part of the account later.
See [the docs](https://docs.cloudron.io/apps/mastodon/#federation) for more information, f you want to change this domain.
<sso>
**NOTE:**
@ -7,3 +9,9 @@ Accounts are created with the username and the subdomain under which this app is
* External registration [does not work well](https://github.com/mastodon/mastodon/issues/20655) when Cloudron user management is enabled.
</sso>
<nosso>
**NOTE:**
* Open registration is disabled by default. To enable this, see the [docs](https://docs.cloudron.io/apps/mastodon/#registration)
* To add an initial account follow those [instructions](https://docs.cloudron.io/apps/mastodon/#adding-users)
</nosso>

View file

@ -1,45 +0,0 @@
#!/usr/bin/env node
'use strict';
const execSync = require('child_process').execSync;
const ldapUserSearchCmd = `ldapsearch -LLL -x -H "${process.env.CLOUDRON_LDAP_URL}" -D "${process.env.CLOUDRON_LDAP_BIND_DN}" -w "${process.env.CLOUDRON_LDAP_BIND_PASSWORD}" -b "${process.env.CLOUDRON_LDAP_USERS_BASE_DN}"`
const postgresCmd = `PGPASSWORD=${process.env.CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${process.env.CLOUDRON_POSTGRESQL_HOST} -p ${process.env.CLOUDRON_POSTGRESQL_PORT} -U ${process.env.CLOUDRON_POSTGRESQL_USERNAME} -d ${process.env.CLOUDRON_POSTGRESQL_DATABASE}`
let usersTableExists = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM information_schema.tables WHERE table_schema LIKE 'public' AND table_type LIKE 'BASE TABLE' AND table_name = 'users'"`);
if (usersTableExists == 0) {
console.log("DB hasn't been initialised yet. Nothing to migrate.");
process.exit(0);
}
let ldapProfiles = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM users u JOIN accounts a ON a.id=u.account_id LEFT JOIN identities i ON i.uid=a.username WHERE i.uid IS NULL"`);
console.log(`LDAP profiles in DB: ${ldapProfiles}`);
if (ldapProfiles == 0) {
console.log("Nothing to migrate. All users' profiles are up-to-date.");
process.exit(0);
}
const ldapSearchOutput = execSync(ldapUserSearchCmd, { encoding: 'utf8' });
const users = {};
let userId;
for (let line of ldapSearchOutput.split('\n')) {
if (line.startsWith('uid:')) userId = line.split(':')[1].trim();
if (line.startsWith('username:')) users[userId] = line.split(':')[1].trim();
}
console.log('Found usermapping:', users);
for (let id in users) {
let uid = execSync(`${postgresCmd} -AXqtc "SELECT u.id FROM users u JOIN accounts a ON a.id=u.account_id WHERE NOT EXISTS (SELECT 1 FROM identities WHERE provider='openid_connect' AND uid='${users[id]}') AND a.username='${users[id]}'"`).toString().trim();
if (!uid)
continue;
console.log(`Migrate ${users[id]} to OIDC`);
execSync(`${postgresCmd} -c "INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[id]}', ${uid}, NOW(), NOW())"`);
console.log(`"INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[id]}', ${uid}, NOW(), NOW())"`);
}
console.log('Done');

View file

@ -30,33 +30,7 @@ sed -e "s/DB_HOST=.*/DB_HOST=${CLOUDRON_POSTGRESQL_HOST}/g" \
-e "s/WEB_DOMAIN=.*/WEB_DOMAIN=${CLOUDRON_APP_DOMAIN}/g" \
-i /app/data/env.production
# migrate LDAP settings to OIDC (should be removed on the next release)
if grep -q "^LDAP_ENABLED" /app/data/env.production; then
# get rid LDAP settings
sed -e "s/LDAP_.*//g" \
-e "s/# SSO configuration//g" \
-i /app/data/env.production
cat >> /app/data/env.production <<EOT
# SSO configuration
OIDC_ENABLED=
OIDC_DISPLAY_NAME=
OIDC_ISSUER=
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=
OIDC_DISCOVERY=
OIDC_SCOPE=
OIDC_UID_FIELD=
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
EOT
fi
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
# should be removed on the next release
echo "==> migrating LDAP users to OIDC"
/app/pkg/migrateUsers.js
echo "==> Setting up OIDC"
sed -e "s/OIDC_ENABLED=.*/OIDC_ENABLED=true/g" \
-e "s/OIDC_DISPLAY_NAME=.*/OIDC_DISPLAY_NAME=Cloudron/g" \

View file

@ -134,7 +134,7 @@ describe('Application life cycle test', function () {
it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo);
it('has registration open', checkRegistration.bind(null, 'open'));
it('has registration open', checkRegistration.bind(null, 'none'));
let testPassword;
it('create a user with CLI', function () {
let output = execSync('cloudron exec --app ' + LOCATION + ' -- bin/tootctl accounts create test --email=test@cloudron.io', { cwd: path.resolve(__dirname, '..'), encoding: 'utf8' });
@ -199,7 +199,7 @@ describe('Application life cycle test', function () {
it('can install app', function () { execSync('cloudron install --appstore-id ' + manifest.id + ' --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo);
// needs to be changed to loginOIDC on the next release
it('can LDAP login', login.bind(null, username, password));
it('can OIDC login', loginOIDC.bind(null, username, password));
it('can logout', logout);
it('can update', async function () {