cloudron-apps/mastodon-app
1
0
Fork 0
mirror of https://git.cloudron.io/cloudron/mastodon-app.git synced 2024-11-25 09:11:00 +00:00
Code Issues Projects Releases Wiki Activity

migrate LDAP users to OIDC

Browse source
This commit is contained in:
Vladimir D 2024-02-15 15:50:03 +04:00
parent 25292a86b4
commit e556c856f1
4 changed files with 56 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CloudronManifest.json
View file

@ -16,6 +16,7 @@
"postgresql": {}, "postgresql": {},
"redis": {}, "redis": {},
"sendmail": {}, "sendmail": {},
"ldap": {},
"oidc": { "loginRedirectUri": "/auth/auth/openid_connect/callback" }, "oidc": { "loginRedirectUri": "/auth/auth/openid_connect/callback" },
"scheduler": { "scheduler": {
"cleanup": { "cleanup": {

4
Dockerfile
View file

@ -69,7 +69,9 @@ RUN ln -sf /run/mastodon/supervisord.log /var/log/supervisor/supervisord.log
RUN ln -fs /app/data/env.production /app/code/.env.production RUN ln -fs /app/data/env.production /app/code/.env.production
RUN ln -fs /app/data/system /app/code/public/system RUN ln -fs /app/data/system /app/code/public/system
COPY start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/ COPY migrateUsers.js start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
RUN chmod +x /app/pkg/migrateUsers.js
CMD [ "/app/pkg/start.sh" ] CMD [ "/app/pkg/start.sh" ]

45
migrateUsers.js Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/env node
'use strict';
const execSync = require('child_process').execSync;
const ldapUserSearchCmd = `ldapsearch -LLL -x -H "${process.env.CLOUDRON_LDAP_URL}" -D "${process.env.CLOUDRON_LDAP_BIND_DN}" -w "${process.env.CLOUDRON_LDAP_BIND_PASSWORD}" -b "${process.env.CLOUDRON_LDAP_USERS_BASE_DN}"`
const postgresCmd = `PGPASSWORD=${process.env.CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${process.env.CLOUDRON_POSTGRESQL_HOST} -p ${process.env.CLOUDRON_POSTGRESQL_PORT} -U ${process.env.CLOUDRON_POSTGRESQL_USERNAME} -d ${process.env.CLOUDRON_POSTGRESQL_DATABASE}`
let usersTableExists = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM information_schema.tables WHERE table_schema LIKE 'public' AND table_type LIKE 'BASE TABLE' AND table_name = 'users'"`);
if (usersTableExists == 0) {
console.log("DB hasn't been initialised yet. Nothing to migrate.");
process.exit(0);
}
let ldapProfiles = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM users u JOIN accounts a ON a.id=u.account_id LEFT JOIN identities i ON i.uid=a.username WHERE i.uid IS NULL"`);
console.log(`LDAP profiles in DB: ${ldapProfiles}`);
if (ldapProfiles == 0) {
console.log("Nothing to migrate. All users' profiles are up-to-date.");
process.exit(0);
}
const ldapSearchOutput = execSync(ldapUserSearchCmd, { encoding: 'utf8' });
const users = {};
let userId;
for (let line of ldapSearchOutput.split('\n')) {
if (line.startsWith('mail:')) userId = line.split(':')[1].trim();
if (line.startsWith('username:')) users[userId] = line.split(':')[1].trim();
}
console.log('Found usermapping:', users);
for (let email in users) {
let uid = execSync(`${postgresCmd} -AXqtc "SELECT id FROM users WHERE email='${email}'"`).toString().trim();
if (!uid)
continue;
console.log(`Migrate ${email}/${users[email]} to OIDC`);
execSync(`${postgresCmd} -c "INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[email]}', ${uid}, NOW(), NOW())"`);
console.log(`"INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[email]}', ${uid}, NOW(), NOW())"`);
}
console.log('Done');

9
start.sh
View file

@ -30,7 +30,7 @@ sed -e "s/DB_HOST=.*/DB_HOST=${CLOUDRON_POSTGRESQL_HOST}/g" \
-e "s/WEB_DOMAIN=.*/WEB_DOMAIN=${CLOUDRON_APP_DOMAIN}/g" \ -e "s/WEB_DOMAIN=.*/WEB_DOMAIN=${CLOUDRON_APP_DOMAIN}/g" \
-i /app/data/env.production -i /app/data/env.production
# migrate LDAP settings to OIDC # migrate LDAP settings to OIDC (should be removed on the next release)
if grep -q "^LDAP_ENABLED" /app/data/env.production; then if grep -q "^LDAP_ENABLED" /app/data/env.production; then
# get rid LDAP settings # get rid LDAP settings
sed -e "s/LDAP_.*//g" \ sed -e "s/LDAP_.*//g" \
@ -48,11 +48,15 @@ OIDC_REDIRECT_URI=
OIDC_DISCOVERY= OIDC_DISCOVERY=
OIDC_SCOPE= OIDC_SCOPE=
OIDC_UID_FIELD= OIDC_UID_FIELD=
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
EOT EOT
fi fi
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
# should be removed on the next release
echo "==> migrating LDAP users to OIDC"
/app/pkg/migrateUsers.js
echo "==> Setting up OIDC" echo "==> Setting up OIDC"
sed -e "s/OIDC_ENABLED=.*/OIDC_ENABLED=true/g" \ sed -e "s/OIDC_ENABLED=.*/OIDC_ENABLED=true/g" \
-e "s/OIDC_DISPLAY_NAME=.*/OIDC_DISPLAY_NAME=Cloudron/g" \ -e "s/OIDC_DISPLAY_NAME=.*/OIDC_DISPLAY_NAME=Cloudron/g" \
@ -63,6 +67,7 @@ if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
-e "s/OIDC_DISCOVERY=.*/OIDC_DISCOVERY=true/g" \ -e "s/OIDC_DISCOVERY=.*/OIDC_DISCOVERY=true/g" \
-e "s/OIDC_SCOPE=.*/OIDC_SCOPE=openid,profile,email/g" \ -e "s/OIDC_SCOPE=.*/OIDC_SCOPE=openid,profile,email/g" \
-e "s/OIDC_UID_FIELD=.*/OIDC_UID_FIELD=sub/g" \ -e "s/OIDC_UID_FIELD=.*/OIDC_UID_FIELD=sub/g" \
-e "s/OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=.*/OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true/g" \
-i /app/data/env.production -i /app/data/env.production
fi fi