From 9653a21d679062271621418bf7123d8cdf09534c Mon Sep 17 00:00:00 2001 From: kaenganxt Date: Wed, 19 Jun 2024 22:42:37 +0200 Subject: [PATCH] Finalize script --- external_sync/clear_matrix.py | 80 +++++++++++++++++++---------------- external_sync/common.py | 2 +- 2 files changed, 44 insertions(+), 38 deletions(-) diff --git a/external_sync/clear_matrix.py b/external_sync/clear_matrix.py index 41a227b..2c168bb 100644 --- a/external_sync/clear_matrix.py +++ b/external_sync/clear_matrix.py @@ -4,61 +4,64 @@ import urllib.request import json +import settings import matrix_settings from common import create_keycloak_admin_client +import keycloak +import sys -to_file(open("log.json", "w")) +to_file(sys.stdout) allowed_roles = ["Mitarbeiter", "Piratenpartei Deutschland"] def get_allowed_keycloak_users(): keycloak_admin = create_keycloak_admin_client() - with start_action(action_type="get_keycloak_users") as action: - keycloak_users = keycloak_admin.get_users() - action.add_success_fields(keycloak_users=len(keycloak_users)) - allowed_ids = [] - with start_action(action_type="get_allowed_users") as action: - for user in keycloak_users: - roles = user.get('realmRoles') - if roles: - for role in roles: - if role in allowed_roles: - allowed_ids.append(user.get('id')) - break - action.add_success_fields(allowed_users=len(allowed_ids)) + for allowed_role in allowed_roles: + with start_action(action_type="get_keycloak_users_per_role", role=allowed_role) as action: + users = keycloak_admin.get_realm_role_members(allowed_role) + action.add_success_fields(keycloak_users=len(users)) + allowed_ids.extend([user.get('id') for user in users]) + + parent_group = keycloak_admin.get_group_by_path(settings.parent_group_path) + all_groups = keycloak_admin.get_group_children(parent_group["id"], full_hierarchy=True) + + for group in all_groups: + with start_action(action_type="get_keycloak_users_per_group", group=group["name"]) as action: + users = keycloak_admin.get_group_members(group['id']) + action.add_success_fields(keycloak_users=len(users)) + allowed_ids.extend([user.get('id') for user in users]) return allowed_ids def get_matrix_user(user): - with start_action(action_type="get_matrix_user", user=user["name"]) as action: - headers = {"Authorization", "Bearer " + matrix_settings.matrix_token} - try: - req = urllib.request.Request("http://localhost:8008/_synapse/admin/v2/users" + user['name'], headers=headers) - answer = json.loads(urllib.request.urlopen(req).read()) - except Exception as e: - log_message(message_type="user_retrieve_exception", user_id=user["name"], exception=e) - return None - - oidc_id = None - if "external_ids" in answer: - for provider in answer["external_ids"]: - if provider["auth_provider"] == "oidc-keycloak": - oidc_id = provider["external_id"] - if oidc_id: - return (user["name"], oidc_id) - else: - return None + headers = {"Authorization": "Bearer " + matrix_settings.matrix_token} + try: + req = urllib.request.Request("http://localhost:8008/_synapse/admin/v2/users/" + user['name'], headers=headers) + answer = json.loads(urllib.request.urlopen(req).read()) + except Exception as e: + log_message(message_type="user_retrieve_exception", user_id=user["name"], exception=e) + return None + + oidc_id = None + if "external_ids" in answer: + for provider in answer["external_ids"]: + if provider["auth_provider"] == "oidc-keycloak": + oidc_id = provider["external_id"] + if oidc_id: + return (user["name"], oidc_id) + else: + return None def get_all_matrix_users(): with start_action(action_type="get_matrix_users") as action: next = 0 users = [] - while next: - headers = {"Authorization", "Bearer " + matrix_settings.matrix_token} - req = urllib.request.Request("http://localhost:8008/_synapse/admin/v2/users?from=" + next, headers=headers) + while next != None: + headers = {"Authorization": "Bearer " + matrix_settings.matrix_token} + req = urllib.request.Request("http://localhost:8008/_synapse/admin/v2/users?from=" + str(next), headers=headers) answer = json.loads(urllib.request.urlopen(req).read()) next = answer['next_token'] if 'next_token' in answer else None answer_users = answer['users'] if 'users' in answer else [] @@ -72,7 +75,7 @@ def get_all_matrix_users(): return users def log_out_of_matrix(user_name): - headers = {"Authorization", "Bearer " + matrix_settings.matrix_token} + headers = {"Authorization": "Bearer " + matrix_settings.matrix_token} data = '{"erase": false}' req = urllib.request.Request("http://localhost:8008/_synapse/admin/v1/deactivate/" + user_name, headers=headers, data=data, method='POST') @@ -88,8 +91,11 @@ def main(): for (user_name, oidc_id) in matrix_users: if oidc_id not in keycloak_users: # User not allowed, force log out - log_message(message_type="log_out_user", user_id=user_name) + log_message(message_type="log_out_user", user_id=user_name, oidc=oidc_id) #log_out_of_matrix(user_name) if __name__ == "__main__": typer.run(main) + +# TODO: Test +# TODO: Only query enabled matrix users diff --git a/external_sync/common.py b/external_sync/common.py index 1ebe118..9fe26bc 100644 --- a/external_sync/common.py +++ b/external_sync/common.py @@ -14,5 +14,5 @@ def create_keycloak_admin_client() -> KeycloakAdmin: client_id=settings.client_id, client_secret_key=settings.client_secret, verify=True, - auto_refresh_token=['get', 'post', 'put', 'delete'] +# auto_refresh_token=['get', 'post', 'put', 'delete'] )