Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Migration script for LDAP sync #93

Open
wants to merge 11 commits into
base: tlater/remove-cache
Choose a base branch
from
123 changes: 79 additions & 44 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 8 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,14 @@ authors = []
edition = "2021"
publish = false

[[bin]]
name = "migrate"
path = "src/bin/migrate.rs"

[dependencies]
anyhow = { version = "1.0.81", features = ["backtrace"] }
async-trait = "0.1.82"
base64 = "0.22.1"
bincode = "1.3.3"
chrono = "0.4.19"
config = { version = "0.14.0" }
http = "1.1.0"
Expand All @@ -27,6 +30,10 @@ zitadel-rust-client = { git = "https://github.com/famedly/zitadel-rust-client",
wiremock = "0.6.2"
csv = "1.3.0"
tempfile = "3.12.0"
futures = "0.3.31"
ldap3 = { version = "0.11.1", default-features = false, features = ["tls-native"] }
native-tls = "0.2.12"
hex = "0.4.3"

[dependencies.tonic]
version = "*"
Expand Down
30 changes: 30 additions & 0 deletions sample-configs/csv-config.sample.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Configuration for Famedly's Zitadel - has to be provided by Famedly
zitadel:
# The Famedly user endpoint to sync to.
url: https://auth.famedly.de
# The Famedly-provided service user credentials.
key_file: /opt/famedly-sync-agent/service-user.json
# The organization whose users to sync.
organization_id: 278274756195721220
# The project to grant users access to.
project_id: 278274945274880004
# The identity provider ID to enable SSO login for
idp_id: 281430143275106308

feature_flags:
- verify_email # Whether to ask users to verify their email addresses post sync
- verify_phone # Whether to ask users to verify their phone numbers post sync
# - sso_login # Whether to enable SSO login - Please note that his has some drawbacks and limitations, see the help center article for more information
# - dry_run # Disable syncing users to Zitadel - Intended to ensure syncs are working before productive deployment
# - deactivate_only # Only deactivate users, do not create or update them.

# Configuration for the sources to sync from.
sources:
# Configuration for the CSV sources
# Updates Zitadel to match the CSV file.
#! DANGER: This will delete all users that are not in the CSV file!
csv:
# Path to the CSV file to read from.
# Expected structure of the CSV file is as follows:
# email,first_name,last_name,phone
file_path: ./tests/environment/files/test-users.csv
30 changes: 1 addition & 29 deletions config.sample.yaml → sample-configs/ldap-config.sample.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ feature_flags:
- verify_phone # Whether to ask users to verify their phone numbers post sync
# - sso_login # Whether to enable SSO login - Please note that his has some drawbacks and limitations, see the help center article for more information
# - dry_run # Disable syncing users to Zitadel - Intended to ensure syncs are working before productive deployment
# - deactivate_only # Only deactivate users, do not create or update them. Keep in mind LDAP is cached and all the changes made on LDAP will be written to the cache as if they where applied. Therefore, only the deactivation changes will be applied to Zitadel but **all the other changes will be lost**.
# - deactivate_only # Only deactivate users, do not create or update them.

# Configuration for the sources to sync from.
sources:
Expand Down Expand Up @@ -87,31 +87,3 @@ sources:
# needed with the `ldaps` scheme, as the server will already be
# hosting TLS.
danger_use_start_tls: false

# Path to the file that keeps track of previously synced LDAP entries.
# This file should be persisted, otherwise users may become out of sync.
cache_path: /opt/famedly-sync-agent/famedly-sync.cache

# Configuration for the UKT source - a custom endpoint provided by UKT,
# which gives a list of emails of users that should be deleted from Zitadel.
ukt:
# Endpoint URL to fetch the list of users from.
endpoint_url: https://list.example.invalid/usersync4chat/maillist
# OAuth2 URL to fetch the token from.
oauth2_url: https://list.example.invalid/token
# Client ID
client_id: mock_client_id
# Client Secret
client_secret: mock_client_secret
# Scope of what to fetch
scope: "openid read-maillist"
# Grant type
grant_type: client_credentials

# Configuration for the CSV source - reads a CSV file
# and creates **new** users in Famedly's Zitadel.
# Expected structure of the CSV file is as follows:
# email,first_name,last_name,phone
csv:
# Path to the CSV file to read from.
file_path: ./tests/environment/files/test-users.csv
37 changes: 37 additions & 0 deletions sample-configs/ukt-config.sample.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Configuration for Famedly's Zitadel - has to be provided by Famedly
zitadel:
# The Famedly user endpoint to sync to.
url: https://auth.famedly.de
# The Famedly-provided service user credentials.
key_file: /opt/famedly-sync-agent/service-user.json
# The organization whose users to sync.
organization_id: 278274756195721220
# The project to grant users access to.
project_id: 278274945274880004
# The identity provider ID to enable SSO login for
idp_id: 281430143275106308

feature_flags:
- verify_email # Whether to ask users to verify their email addresses post sync
- verify_phone # Whether to ask users to verify their phone numbers post sync
# - sso_login # Whether to enable SSO login - Please note that his has some drawbacks and limitations, see the help center article for more information
# - dry_run # Disable syncing users to Zitadel - Intended to ensure syncs are working before productive deployment
# - deactivate_only # Only deactivate users, do not create or update them.

# Configuration for the sources to sync from.
sources:
# Configuration for the UKT source - a custom endpoint provided by UKT,
# which gives a list of emails of users that should be deleted from Zitadel.
ukt:
# Endpoint URL to fetch the list of users from.
endpoint_url: https://list.example.invalid/usersync4chat/maillist
# OAuth2 URL to fetch the token from.
oauth2_url: https://list.example.invalid/token
# Client ID
client_id: mock_client_id
# Client Secret
client_secret: mock_client_secret
# Scope of what to fetch
scope: "openid read-maillist"
# Grant type
grant_type: client_credentials
Loading