From 85e3c73525d327042c1ad142e48c044a5dbdd89c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Sat, 6 Feb 2021 18:22:39 +0100 Subject: [PATCH] Basic experimental ldap import support with the official directory connector --- src/api/core/organizations.rs | 99 +++++++++++++++++++++++++++++++++++ src/db/models/organization.rs | 10 ++++ 2 files changed, 109 insertions(+) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 56bc7a70..31ecfd46 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -50,6 +50,7 @@ pub fn routes() -> Vec { get_organization_tax, get_plans, get_plans_tax_rates, + import, ] } @@ -1076,3 +1077,101 @@ fn get_plans_tax_rates(_headers: Headers, _conn: DbConn) -> JsonResult { "ContinuationToken": null }))) } + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportGroupData { + Name: String, // "GroupName" + ExternalId: String, // "cn=GroupName,ou=Groups,dc=example,dc=com" + Users: Vec, // ["uid=user,ou=People,dc=example,dc=com"] +} + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportUserData { + Email: String, // "user@maildomain.net" + ExternalId: String, // "uid=user,ou=People,dc=example,dc=com" + Deleted: bool, +} + +#[derive(Deserialize, Debug)] +#[allow(non_snake_case)] +struct OrgImportData { + Groups: Vec, + OverwriteExisting: bool, + Users: Vec, +} + +#[post("/organizations//import", data = "")] +fn import(org_id: String, data: JsonUpcase, headers: Headers, conn: DbConn) -> EmptyResult { + let data = data.into_inner().data; + println!("{:#?}", data); + + // TODO: Currently we aren't storing the externalId's anywhere, so we also don't have a way + // to differentiate between auto-imported users and manually added ones. + // This means that this endpoint can end up removing users that were added manually by an admin, + // as opposed to upstream which only removes auto-imported users. + + // User needs to be admin or owner to use the Directry Connector + match UserOrganization::find_by_user_and_org(&headers.user.uuid, &org_id, &conn) { + Some(user_org) if user_org.atype >= UserOrgType::Admin => { /* Okay, nothing to do */ } + Some(_) => err!("User has insufficient permissions to use Directory Connector"), + None => err!("User not part of organization"), + }; + + for user_data in &data.Users { + if user_data.Deleted { + // If user is marked for deletion and it exists, delete it + if let Some(user_org) = UserOrganization::find_by_email_and_org(&user_data.Email, &org_id, &conn) { + user_org.delete(&conn)?; + } + + // If user is not part of the organization, but it exists + } else if UserOrganization::find_by_email_and_org(&user_data.Email, &org_id, &conn).is_none() { + if let Some (user) = User::find_by_mail(&user_data.Email, &conn) { + + let user_org_status = if CONFIG.mail_enabled() { + UserOrgStatus::Invited as i32 + } else { + UserOrgStatus::Accepted as i32 // Automatically mark user as accepted if no email invites + }; + + let mut new_org_user = UserOrganization::new(user.uuid.clone(), org_id.clone()); + new_org_user.access_all = false; + new_org_user.atype = UserOrgType::User as i32; + new_org_user.status = user_org_status; + + new_org_user.save(&conn)?; + + if CONFIG.mail_enabled() { + let org_name = match Organization::find_by_uuid(&org_id, &conn) { + Some(org) => org.name, + None => err!("Error looking up organization"), + }; + + mail::send_invite( + &user_data.Email, + &user.uuid, + Some(org_id.clone()), + Some(new_org_user.uuid), + &org_name, + Some(headers.user.email.clone()), + )?; + } + } + } + } + + // If this flag is enabled, any user that isn't provided in the Users list will be removed (by default they will be kept unless they have Deleted == true) + if data.OverwriteExisting { + for user_org in UserOrganization::find_by_org_and_type(&org_id, UserOrgType::User as i32, &conn) { + if let Some (user_email) = User::find_by_uuid(&user_org.user_uuid, &conn).map(|u| u.email) { + if !data.Users.iter().any(|u| u.Email == user_email) { + user_org.delete(&conn)?; + } + } + } + } + + Ok(()) +} diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index 455c2466..ade0040b 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -439,6 +439,16 @@ impl UserOrganization { Ok(()) } + pub fn find_by_email_and_org(email: &str, org_id: &str, conn: &DbConn) -> Option { + if let Some(user) = super::User::find_by_mail(email, conn) { + if let Some(user_org) = UserOrganization::find_by_user_and_org(&user.uuid, org_id, &conn) { + return Some(user_org); + } + } + + None + } + pub fn has_status(&self, status: UserOrgStatus) -> bool { self.status == status as i32 }