From 011e56454adfda9faeb56153bf673526bb329304 Mon Sep 17 00:00:00 2001
From: Rik Veenboer <rik.veenboer@gmail.com>
Date: Sat, 16 Nov 2024 17:29:43 +0100
Subject: [PATCH] experiment with seafile sso

---
 caddy/Caddyfile                    |  1 +
 nginx/etc/nginx/conf.d/global.conf |  1 -
 seafile/conf/seahub_settings.py    | 85 +++++++++++++++++++++++++++++-
 3 files changed, 84 insertions(+), 3 deletions(-)

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index 0a7dade..12f80f9 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -71,6 +71,7 @@ insecure.rik.veenboer.xyz {
 
 seafile.rik.veenboer.xyz {
 	handle {
+		# import authentik
 		reverse_proxy http://host:8100
 	}
 
diff --git a/nginx/etc/nginx/conf.d/global.conf b/nginx/etc/nginx/conf.d/global.conf
index 7cccd56..e1ca0eb 100644
--- a/nginx/etc/nginx/conf.d/global.conf
+++ b/nginx/etc/nginx/conf.d/global.conf
@@ -94,7 +94,6 @@ server {
         proxy_pass http://host:9001;
         include /etc/nginx/conf/proxy.conf;
     }
-
 }
 
 server {
diff --git a/seafile/conf/seahub_settings.py b/seafile/conf/seahub_settings.py
index 6c4823a..443328c 100644
--- a/seafile/conf/seahub_settings.py
+++ b/seafile/conf/seahub_settings.py
@@ -1,5 +1,86 @@
-# -*- coding: utf-8 -*-
+## General
 SECRET_KEY = "zt^$p=*-yzytt3)1lidvsfjrq7qe+3t^$nw6wp_+bqhttxy4c!"
-
 SERVICE_URL = "https://seafile.rik.veenboer.xyz/"
 
+
+## Remote User Authentication
+ENABLE_REMOTE_USER_AUTHENTICATION = False
+
+# Optional, HTTP header, which is configured in your web server conf file,
+# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
+REMOTE_USER_HEADER = 'X-Seafile-User'
+
+# Optional, when the value of HTTP_REMOTE_USER is not a valid email address，
+# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
+# and this domain, e.g. user1@example.com.
+REMOTE_USER_DOMAIN = 'veenboer.xyz'
+
+# Optional, whether to create new user in Seafile system, default value is True.
+# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
+# The admin has to first import the users from external systems like LDAP.
+REMOTE_USER_CREATE_UNKNOWN_USER = True
+
+# Optional, whether to activate new user in Seafile system, default value is True.
+# If this setting is disabled, user will be unable to login by default.
+# the administrator needs to manually activate this user.
+REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True
+
+# Optional, map user attribute in HTTP header and Seafile's user attribute.
+REMOTE_USER_ATTRIBUTE_MAP = {
+    'X-Authentik-Username': 'name',
+    'X-Seafile-User': 'contact_email',
+
+    # for user info
+    # "HTTP_GIVENNAME": 'givenname',
+    # "HTTP_SN": 'surname',
+    # "HTTP_ORGANIZATION": 'institution',
+
+    # for user role
+    # 'HTTP_Shibboleth-affiliation': 'affiliation',
+}
+
+# Map affiliation to user role. Though the config name is SHIBBOLETH_AFFILIATION_ROLE_MAP,
+# it is not restricted to Shibboleth
+SHIBBOLETH_AFFILIATION_ROLE_MAP = {
+    # 'employee@uni-mainz.de': 'staff',
+    # 'member@uni-mainz.de': 'staff',
+    # 'student@uni-mainz.de': 'student',
+    # 'employee@hu-berlin.de': 'guest',
+    # 'patterns': (
+    #     ('*@hu-berlin.de', 'guest1'),
+    #     ('*@*.de', 'guest2'),
+    #     ('*', 'guest'),
+    # ),
+}
+
+
+## OAuth Authentication
+ENABLE_OAUTH = True
+
+# If create new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_CREATE_UNKNOWN_USER = True
+
+# If active new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_ACTIVATE_USER_AFTER_CREATION = True
+
+# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
+OAUTH_ENABLE_INSECURE_TRANSPORT = True
+
+# Client id/secret generated by authorization server when you register your client application.
+OAUTH_CLIENT_ID = "ppPkXbiyxpYKOlHdKHNM69HlzrKBz1DB9eTgvfgh"
+OAUTH_CLIENT_SECRET = "G1F5UwQyMDFSZpo8OjMLdU7TbMniWzNDJqjGHsGo1Yr03MOMM5uAw4gHLRMdxM72DLZUWWgSllEOkHk8ifBH7FVhlNw9zwc5LNOFIoXzMNZAuaJhLDlWPjWrfMCiosNT"
+
+# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
+OAUTH_REDIRECT_URL = 'https://seafile.rik.veenboer.xyz/oauth/callback/'
+
+OAUTH_PROVIDER_DOMAIN = 'authentik.rik.veenboer.xyz'
+OAUTH_AUTHORIZATION_URL = 'https://authentik.rik.veenboer.xyz/application/o/authorize/'
+OAUTH_TOKEN_URL = 'https://authentik.rik.veenboer.xyz/application/o/token/'
+OAUTH_USER_INFO_URL = 'https://authentik.rik.veenboer.xyz/application/o/userinfo/'
+OAUTH_SCOPE = ["user",]
+OAUTH_ATTRIBUTE_MAP = {
+    # "id": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
+    "name": (False, "name"),
+    "email": (False, "contact_email"),
+    "uid": (True, "uid"),   # Seafile v11.0 +
+}