mirror of
https://github.com/documize/community.git
synced 2025-07-21 06:09:42 +02:00
sync Keycloak users with Documize
This commit is contained in:
parent
b2620e80e1
commit
8c062d592a
11 changed files with 178 additions and 55 deletions
|
@ -111,5 +111,9 @@ export default Ember.Component.extend({
|
||||||
this.get('onSave')(provider, config).then(() => {
|
this.get('onSave')(provider, config).then(() => {
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
|
onSync() {
|
||||||
|
this.get('onSync')();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -27,6 +27,12 @@ export default Ember.Controller.extend(NotifierMixin, {
|
||||||
this.set('appMeta.authConfig', config);
|
this.set('appMeta.authConfig', config);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
onSync() {
|
||||||
|
return this.get('global').syncExternalUsers().then((response) => {
|
||||||
|
this.showNotification(response.message);
|
||||||
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{{auth-settings authProvider=model.authProvider authConfig=model.authConfig onSave=(action 'onSave')}}
|
{{auth-settings authProvider=model.authProvider authConfig=model.authConfig onSave=(action 'onSave') onSync=(action 'onSync')}}
|
||||||
|
|
|
@ -14,6 +14,7 @@ import AuthenticatedRouteMixin from 'ember-simple-auth/mixins/authenticated-rout
|
||||||
|
|
||||||
export default Ember.Route.extend(AuthenticatedRouteMixin, {
|
export default Ember.Route.extend(AuthenticatedRouteMixin, {
|
||||||
userService: Ember.inject.service('user'),
|
userService: Ember.inject.service('user'),
|
||||||
|
global: Ember.inject.service('global'),
|
||||||
|
|
||||||
beforeModel: function () {
|
beforeModel: function () {
|
||||||
if (!this.session.isAdmin) {
|
if (!this.session.isAdmin) {
|
||||||
|
@ -21,8 +22,14 @@ export default Ember.Route.extend(AuthenticatedRouteMixin, {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
model: function () {
|
model() {
|
||||||
return this.get('userService').getAll();
|
return new Ember.RSVP.Promise((resolve) => {
|
||||||
|
this.get('global').syncExternalUsers().then(() => {
|
||||||
|
this.get('userService').getAll().then((users) =>{
|
||||||
|
resolve(users);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
activate: function () {
|
activate: function () {
|
||||||
|
|
|
@ -73,5 +73,15 @@ export default Ember.Service.extend({
|
||||||
data: JSON.stringify(config)
|
data: JSON.stringify(config)
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
|
||||||
|
syncExternalUsers() {
|
||||||
|
if(this.get('sessionService.isGlobalAdmin')) {
|
||||||
|
return this.get('ajax').request(`users/sync`, {
|
||||||
|
method: 'GET'
|
||||||
|
}).then((response) => {
|
||||||
|
return response;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
},
|
||||||
});
|
});
|
||||||
|
|
|
@ -48,4 +48,6 @@
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
||||||
<div class="regular-button button-blue" {{action 'onSave'}}>save</div>
|
<div class="regular-button button-blue" {{action 'onSave'}}>save</div>
|
||||||
|
<div class="button-gap" />
|
||||||
|
<div class="regular-button button-green" {{action 'onSync'}}>sync users</div>
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -28,6 +28,7 @@ import (
|
||||||
"github.com/documize/community/core/api/util"
|
"github.com/documize/community/core/api/util"
|
||||||
"github.com/documize/community/core/log"
|
"github.com/documize/community/core/log"
|
||||||
"github.com/documize/community/core/utility"
|
"github.com/documize/community/core/utility"
|
||||||
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -117,7 +118,15 @@ func AuthenticateKeycloak(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err = addUser(p, a)
|
user = entity.User{}
|
||||||
|
user.Firstname = a.Firstname
|
||||||
|
user.Lastname = a.Lastname
|
||||||
|
user.Email = a.Email
|
||||||
|
user.Initials = utility.MakeInitials(user.Firstname, user.Lastname)
|
||||||
|
user.Salt = util.GenerateSalt()
|
||||||
|
user.Password = util.GeneratePassword(util.GenerateRandomPassword(), user.Salt)
|
||||||
|
|
||||||
|
err = addUser(p, &user)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeServerError(w, method, err)
|
writeServerError(w, method, err)
|
||||||
return
|
return
|
||||||
|
@ -162,32 +171,100 @@ func AuthenticateKeycloak(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
err = SyncUsers(ac)
|
|
||||||
if err != nil {
|
|
||||||
log.Error("su", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
writeSuccessBytes(w, json)
|
writeSuccessBytes(w, json)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Helper method to setup user account in Documize using Keycloak provided user data.
|
// SyncKeycloak gets list of Keycloak users and inserts new users into Documize
|
||||||
func addUser(p request.Persister, a keycloakAuthRequest) (u entity.User, err error) {
|
// and marks Keycloak disabled users as inactive.
|
||||||
u.Firstname = a.Firstname
|
func SyncKeycloak(w http.ResponseWriter, r *http.Request) {
|
||||||
u.Lastname = a.Lastname
|
p := request.GetPersister(r)
|
||||||
u.Email = a.Email
|
|
||||||
u.Initials = utility.MakeInitials(a.Firstname, a.Lastname)
|
|
||||||
u.Salt = util.GenerateSalt()
|
|
||||||
u.Password = util.GeneratePassword(util.GenerateRandomPassword(), u.Salt)
|
|
||||||
|
|
||||||
|
if !p.Context.Administrator {
|
||||||
|
writeForbiddenError(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var result struct {
|
||||||
|
Message string `json:"message"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Org contains raw auth provider config
|
||||||
|
org, err := p.GetOrganization(p.Context.OrgID)
|
||||||
|
if err != nil {
|
||||||
|
result.Message = "Unable to get organization record"
|
||||||
|
log.Error(result.Message, err)
|
||||||
|
util.WriteJSON(w, result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make Keycloak auth provider config
|
||||||
|
c := keycloakConfig{}
|
||||||
|
err = json.Unmarshal([]byte(org.AuthConfig), &c)
|
||||||
|
if err != nil {
|
||||||
|
result.Message = "Unable process Keycloak public key"
|
||||||
|
log.Error(result.Message, err)
|
||||||
|
util.WriteJSON(w, result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// User list from Keycloak
|
||||||
|
kcUsers, err := KeycloakUsers(c)
|
||||||
|
if err != nil {
|
||||||
|
result.Message = "Unable to fetch Keycloak users: " + err.Error()
|
||||||
|
log.Error(result.Message, err)
|
||||||
|
util.WriteJSON(w, result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// User list from Documize
|
||||||
|
dmzUsers, err := p.GetUsersForOrganization()
|
||||||
|
if err != nil {
|
||||||
|
result.Message = "Unable to fetch Documize users"
|
||||||
|
log.Error(result.Message, err)
|
||||||
|
util.WriteJSON(w, result)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
sort.Slice(kcUsers, func(i, j int) bool { return kcUsers[i].Email < kcUsers[j].Email })
|
||||||
|
sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
|
||||||
|
|
||||||
|
insert := []entity.User{}
|
||||||
|
|
||||||
|
for _, k := range kcUsers {
|
||||||
|
exists := false
|
||||||
|
|
||||||
|
for _, d := range dmzUsers {
|
||||||
|
if k.Email == d.Email {
|
||||||
|
exists = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !exists {
|
||||||
|
insert = append(insert, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Insert new users into Documize
|
||||||
|
for _, u := range insert {
|
||||||
|
err = addUser(p, &u)
|
||||||
|
}
|
||||||
|
|
||||||
|
result.Message = fmt.Sprintf("Keycloak sync'ed %d users, %d new additions", len(kcUsers), len(insert))
|
||||||
|
log.Info(result.Message)
|
||||||
|
util.WriteJSON(w, result)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Helper method to setup user account in Documize using Keycloak provided user data.
|
||||||
|
func addUser(p request.Persister, u *entity.User) (err error) {
|
||||||
// only create account if not dupe
|
// only create account if not dupe
|
||||||
addUser := true
|
addUser := true
|
||||||
addAccount := true
|
addAccount := true
|
||||||
var userID string
|
var userID string
|
||||||
|
|
||||||
userDupe, err := p.GetUserByEmail(a.Email)
|
userDupe, err := p.GetUserByEmail(u.Email)
|
||||||
|
|
||||||
if err != nil && err != sql.ErrNoRows {
|
if err != nil && err != sql.ErrNoRows {
|
||||||
return u, err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if u.Email == userDupe.Email {
|
if u.Email == userDupe.Email {
|
||||||
|
@ -197,17 +274,17 @@ func addUser(p request.Persister, a keycloakAuthRequest) (u entity.User, err err
|
||||||
|
|
||||||
p.Context.Transaction, err = request.Db.Beginx()
|
p.Context.Transaction, err = request.Db.Beginx()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return u, err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if addUser {
|
if addUser {
|
||||||
userID = util.UniqueID()
|
userID = util.UniqueID()
|
||||||
u.RefID = userID
|
u.RefID = userID
|
||||||
err = p.AddUser(u)
|
err = p.AddUser(*u)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.IfErr(p.Context.Transaction.Rollback())
|
log.IfErr(p.Context.Transaction.Rollback())
|
||||||
return u, err
|
return err
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
attachUserAccounts(p, p.Context.OrgID, &userDupe)
|
attachUserAccounts(p, p.Context.OrgID, &userDupe)
|
||||||
|
@ -234,23 +311,22 @@ func addUser(p request.Persister, a keycloakAuthRequest) (u entity.User, err err
|
||||||
err = p.AddAccount(a)
|
err = p.AddAccount(a)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.IfErr(p.Context.Transaction.Rollback())
|
log.IfErr(p.Context.Transaction.Rollback())
|
||||||
return u, err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
log.IfErr(p.Context.Transaction.Commit())
|
log.IfErr(p.Context.Transaction.Commit())
|
||||||
|
|
||||||
// If we did not add user or give them access (account) then we error back
|
nu, err := p.GetUser(userID)
|
||||||
if !addUser && !addAccount {
|
u = &nu
|
||||||
log.IfErr(p.Context.Transaction.Rollback())
|
|
||||||
return u, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return p.GetUser(userID)
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// SyncUsers gets list of Keycloak users for specified Realm, Client Id
|
// KeycloakUsers gets list of Keycloak users for specified Realm, Client Id
|
||||||
func SyncUsers(c keycloakConfig) (err error) {
|
func KeycloakUsers(c keycloakConfig) (users []entity.User, err error) {
|
||||||
|
users = []entity.User{}
|
||||||
|
|
||||||
form := url.Values{}
|
form := url.Values{}
|
||||||
form.Add("username", c.AdminUser)
|
form.Add("username", c.AdminUser)
|
||||||
form.Add("password", c.AdminPassword)
|
form.Add("password", c.AdminPassword)
|
||||||
|
@ -267,59 +343,65 @@ func SyncUsers(c keycloakConfig) (err error) {
|
||||||
client := &http.Client{}
|
client := &http.Client{}
|
||||||
res, err := client.Do(req)
|
res, err := client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
}
|
}
|
||||||
|
|
||||||
defer res.Body.Close()
|
defer res.Body.Close()
|
||||||
body, err := ioutil.ReadAll(res.Body)
|
body, err := ioutil.ReadAll(res.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
}
|
}
|
||||||
|
|
||||||
ka := keycloakAPIAuth{}
|
ka := keycloakAPIAuth{}
|
||||||
err = json.Unmarshal(body, &ka)
|
err = json.Unmarshal(body, &ka)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if res.StatusCode != http.StatusOK {
|
if res.StatusCode != http.StatusOK {
|
||||||
return errors.New("Keycloak authentication failed " + res.Status)
|
return users, errors.New("Keycloak authentication failed " + res.Status)
|
||||||
}
|
}
|
||||||
|
|
||||||
req, err = http.NewRequest("GET",
|
req, err = http.NewRequest("GET", fmt.Sprintf("%s/admin/realms/%s/users?max=500", c.URL, c.Realm), nil)
|
||||||
fmt.Sprintf("%s/admin/realms/%s/users?max=500", c.URL, c.Realm),
|
|
||||||
nil)
|
|
||||||
|
|
||||||
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", ka.AccessToken))
|
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", ka.AccessToken))
|
||||||
|
|
||||||
client = &http.Client{}
|
client = &http.Client{}
|
||||||
res, err = client.Do(req)
|
res, err = client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
defer res.Body.Close()
|
defer res.Body.Close()
|
||||||
body, err = ioutil.ReadAll(res.Body)
|
body, err = ioutil.ReadAll(res.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
}
|
}
|
||||||
|
|
||||||
u := []keycloakUser{}
|
kcUsers := []keycloakUser{}
|
||||||
err = json.Unmarshal(body, &u)
|
err = json.Unmarshal(body, &kcUsers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return users, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if res.StatusCode != http.StatusOK {
|
if res.StatusCode != http.StatusOK {
|
||||||
return errors.New("Keycloak /users call failed " + res.Status)
|
return users, errors.New("Keycloak /users call failed " + res.Status)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info(fmt.Sprintf("%d", res.StatusCode))
|
for _, kc := range kcUsers {
|
||||||
|
u := entity.User{}
|
||||||
|
u.Email = kc.Email
|
||||||
|
u.Firstname = kc.Firstname
|
||||||
|
u.Lastname = kc.Lastname
|
||||||
|
u.Initials = utility.MakeInitials(u.Firstname, u.Lastname)
|
||||||
|
u.Active = kc.Enabled
|
||||||
|
u.Editor = false
|
||||||
|
|
||||||
fmt.Println(fmt.Sprintf("%d len", len(u)))
|
users = append(users, u)
|
||||||
fmt.Println(u[0].Email)
|
}
|
||||||
|
|
||||||
return nil
|
return users, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Data received via Keycloak client library
|
// Data received via Keycloak client library
|
||||||
|
|
|
@ -202,6 +202,7 @@ func init() {
|
||||||
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"GET", "OPTIONS"}, nil, GetUser))
|
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"GET", "OPTIONS"}, nil, GetUser))
|
||||||
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"PUT", "OPTIONS"}, nil, UpdateUser))
|
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"PUT", "OPTIONS"}, nil, UpdateUser))
|
||||||
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"DELETE", "OPTIONS"}, nil, DeleteUser))
|
log.IfErr(Add(RoutePrefixPrivate, "users/{userID}", []string{"DELETE", "OPTIONS"}, nil, DeleteUser))
|
||||||
|
log.IfErr(Add(RoutePrefixPrivate, "users/sync", []string{"GET", "OPTIONS"}, nil, SyncKeycloak))
|
||||||
|
|
||||||
// Search
|
// Search
|
||||||
log.IfErr(Add(RoutePrefixPrivate, "search", []string{"GET", "OPTIONS"}, nil, SearchDocuments))
|
log.IfErr(Add(RoutePrefixPrivate, "search", []string{"GET", "OPTIONS"}, nil, SearchDocuments))
|
||||||
|
|
|
@ -64,6 +64,17 @@ func (user *User) Fullname() string {
|
||||||
return fmt.Sprintf("%s %s", user.Firstname, user.Lastname)
|
return fmt.Sprintf("%s %s", user.Firstname, user.Lastname)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetAccount returns matching org account using orgID
|
||||||
|
func (user *User) GetAccount(orgID string) (a Account, found bool) {
|
||||||
|
for _, a := range user.Accounts {
|
||||||
|
if a.OrgID == orgID {
|
||||||
|
return a, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return a, false
|
||||||
|
}
|
||||||
|
|
||||||
// Organization defines a company that uses this app.
|
// Organization defines a company that uses this app.
|
||||||
type Organization struct {
|
type Organization struct {
|
||||||
BaseEntity
|
BaseEntity
|
||||||
|
|
|
@ -38,7 +38,7 @@ var dbPtr **sqlx.DB
|
||||||
func Check(Db *sqlx.DB, connectionString string) bool {
|
func Check(Db *sqlx.DB, connectionString string) bool {
|
||||||
dbPtr = &Db
|
dbPtr = &Db
|
||||||
|
|
||||||
log.Info("Running database checks, this may take a while...")
|
log.Info("Database checks: started")
|
||||||
|
|
||||||
csBits := strings.Split(connectionString, "/")
|
csBits := strings.Split(connectionString, "/")
|
||||||
if len(csBits) > 1 {
|
if len(csBits) > 1 {
|
||||||
|
@ -73,8 +73,8 @@ func Check(Db *sqlx.DB, connectionString string) bool {
|
||||||
// MySQL and Percona share same version scheme (e..g 5.7.10).
|
// MySQL and Percona share same version scheme (e..g 5.7.10).
|
||||||
// MariaDB starts at 10.2.x
|
// MariaDB starts at 10.2.x
|
||||||
sqlVariant := GetSQLVariant(dbComment)
|
sqlVariant := GetSQLVariant(dbComment)
|
||||||
log.Info("SQL variant: " + sqlVariant)
|
log.Info("Database checks: SQL variant " + sqlVariant)
|
||||||
log.Info("SQL version: " + version)
|
log.Info("Database checks: SQL version " + version)
|
||||||
|
|
||||||
verNums, err := GetSQLVersion(version)
|
verNums, err := GetSQLVersion(version)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -211,7 +211,7 @@ func Migrate(ConfigTableExists bool) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return migrateEnd(tx, err, amLeader)
|
return migrateEnd(tx, err, amLeader)
|
||||||
}
|
}
|
||||||
log.Info("Database checks: last previously applied file was " + lastMigration)
|
log.Info("Database checks: last applied " + lastMigration)
|
||||||
}
|
}
|
||||||
|
|
||||||
mig, err := migrations(lastMigration)
|
mig, err := migrations(lastMigration)
|
||||||
|
@ -220,7 +220,7 @@ func Migrate(ConfigTableExists bool) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(mig) == 0 {
|
if len(mig) == 0 {
|
||||||
log.Info("Database checks: no updates to perform")
|
log.Info("Database checks: no updates required")
|
||||||
return migrateEnd(tx, nil, amLeader) // no migrations to perform
|
return migrateEnd(tx, nil, amLeader) // no migrations to perform
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -233,7 +233,7 @@ func Migrate(ConfigTableExists bool) error {
|
||||||
targetMigration := string(mig[len(mig)-1])
|
targetMigration := string(mig[len(mig)-1])
|
||||||
for targetMigration != lastMigration {
|
for targetMigration != lastMigration {
|
||||||
time.Sleep(time.Second)
|
time.Sleep(time.Second)
|
||||||
log.Info("Waiting for database migration process to complete")
|
log.Info("Waiting for database migration completion")
|
||||||
tx.Rollback() // ignore error
|
tx.Rollback() // ignore error
|
||||||
tx, err := (*dbPtr).Beginx() // need this in order to see the changed situation since last tx
|
tx, err := (*dbPtr).Beginx() // need this in order to see the changed situation since last tx
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue