feat: Add ability to enforce SSO

Closes #543, closes #545
2025-07-18 20:59:44 +02:00 · 2024-02-01 00:31:15 +01:00 · 2024-02-01 00:31:15 +01:00 · 6c826c7127
commit 6c826c7127
parent 988afba1d0
10 changed files with 80 additions and 46 deletions
--- a/client/src/components/Login/Login.jsx
+++ b/client/src/components/Login/Login.jsx
@ -68,6 +68,7 @@ const Login = React.memo(
    isSubmittingUsingOidc,
    error,
    withOidc,
+    isOidcEnforced,
    onAuthenticate,
    onAuthenticateUsingOidc,
    onMessageDismiss,
@ -107,8 +108,10 @@ const Login = React.memo(
    }, [onAuthenticate, data]);

    useEffect(() => {
-      emailOrUsernameField.current.focus();
-    }, []);
+      if (!isOidcEnforced) {
+        emailOrUsernameField.current.focus();
+      }
+    }, [isOidcEnforced]);

    useEffect(() => {
      if (wasSubmitting && !isSubmitting && error) {
@ -159,51 +162,57 @@ const Login = React.memo(
                        onDismiss={onMessageDismiss}
                      />
                    )}
-                    <Form size="large" onSubmit={handleSubmit}>
-                      <div className={styles.inputWrapper}>
-                        <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
-                        <Input
-                          fluid
-                          ref={emailOrUsernameField}
-                          name="emailOrUsername"
-                          value={data.emailOrUsername}
-                          readOnly={isSubmitting}
-                          className={styles.input}
-                          onChange={handleFieldChange}
+                    {!isOidcEnforced && (
+                      <Form size="large" onSubmit={handleSubmit}>
+                        <div className={styles.inputWrapper}>
+                          <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
+                          <Input
+                            fluid
+                            ref={emailOrUsernameField}
+                            name="emailOrUsername"
+                            value={data.emailOrUsername}
+                            readOnly={isSubmitting}
+                            className={styles.input}
+                            onChange={handleFieldChange}
+                          />
+                        </div>
+                        <div className={styles.inputWrapper}>
+                          <div className={styles.inputLabel}>{t('common.password')}</div>
+                          <Input.Password
+                            fluid
+                            ref={passwordField}
+                            name="password"
+                            value={data.password}
+                            readOnly={isSubmitting}
+                            className={styles.input}
+                            onChange={handleFieldChange}
+                          />
+                        </div>
+                        <Form.Button
+                          primary
+                          size="large"
+                          icon="right arrow"
+                          labelPosition="right"
+                          content={t('action.logIn')}
+                          floated="right"
+                          loading={isSubmitting}
+                          disabled={isSubmitting || isSubmittingUsingOidc}
                        />
-                      </div>
-                      <div className={styles.inputWrapper}>
-                        <div className={styles.inputLabel}>{t('common.password')}</div>
-                        <Input.Password
-                          fluid
-                          ref={passwordField}
-                          name="password"
-                          value={data.password}
-                          readOnly={isSubmitting}
-                          className={styles.input}
-                          onChange={handleFieldChange}
-                        />
-                      </div>
-                      <Form.Button
-                        primary
-                        size="large"
-                        icon="right arrow"
-                        labelPosition="right"
-                        content={t('action.logIn')}
-                        floated="right"
-                        loading={isSubmitting}
-                        disabled={isSubmitting || isSubmittingUsingOidc}
-                      />
-                    </Form>
+                      </Form>
+                    )}
                    {withOidc && (
                      <Button
                        type="button"
+                        fluid={isOidcEnforced}
+                        primary={isOidcEnforced}
+                        size={isOidcEnforced ? 'large' : undefined}
+                        icon={isOidcEnforced ? 'right arrow' : undefined}
+                        labelPosition={isOidcEnforced ? 'right' : undefined}
+                        content={t('action.logInWithSSO')}
                        loading={isSubmittingUsingOidc}
                        disabled={isSubmitting || isSubmittingUsingOidc}
                        onClick={onAuthenticateUsingOidc}
-                      >
-                        {t('action.logInWithSSO')}
-                      </Button>
+                      />
                    )}
                  </div>
                </div>
@ -242,6 +251,7 @@ Login.propTypes = {
  isSubmittingUsingOidc: PropTypes.bool.isRequired,
  error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
  withOidc: PropTypes.bool.isRequired,
+  isOidcEnforced: PropTypes.bool.isRequired,
  onAuthenticate: PropTypes.func.isRequired,
  onAuthenticateUsingOidc: PropTypes.func.isRequired,
  onMessageDismiss: PropTypes.func.isRequired,
--- a/client/src/components/UsersModal/UsersModal.jsx
+++ b/client/src/components/UsersModal/UsersModal.jsx
@ -10,6 +10,7 @@ import Item from './Item';
 const UsersModal = React.memo(
  ({
    items,
+    canAdd,
    onUpdate,
    onUsernameUpdate,
    onUsernameUpdateMessageDismiss,
@ -130,11 +131,13 @@ const UsersModal = React.memo(
            </Table.Body>
          </Table>
        </Modal.Content>
-        <Modal.Actions>
-          <UserAddPopupContainer>
-            <Button positive content={t('action.addUser')} />
-          </UserAddPopupContainer>
-        </Modal.Actions>
+        {canAdd && (
+          <Modal.Actions>
+            <UserAddPopupContainer>
+              <Button positive content={t('action.addUser')} />
+            </UserAddPopupContainer>
+          </Modal.Actions>
+        )}
      </Modal>
    );
  },
@ -142,6 +145,7 @@ const UsersModal = React.memo(

 UsersModal.propTypes = {
  items: PropTypes.array.isRequired, // eslint-disable-line react/forbid-prop-types
+  canAdd: PropTypes.bool.isRequired,
  onUpdate: PropTypes.func.isRequired,
  onUsernameUpdate: PropTypes.func.isRequired,
  onUsernameUpdateMessageDismiss: PropTypes.func.isRequired,
--- a/client/src/containers/LoginContainer.js
+++ b/client/src/containers/LoginContainer.js
@ -20,6 +20,7 @@ const mapStateToProps = (state) => {
    isSubmittingUsingOidc,
    error,
    withOidc: !!oidcConfig,
+    isOidcEnforced: oidcConfig && oidcConfig.isEnforced,
  };
 };

--- a/client/src/containers/UsersModalContainer.js
+++ b/client/src/containers/UsersModalContainer.js
@ -6,10 +6,12 @@ import entryActions from '../entry-actions';
 import UsersModal from '../components/UsersModal';

 const mapStateToProps = (state) => {
+  const oidcConfig = selectors.selectOidcConfig(state);
  const users = selectors.selectUsersExceptCurrent(state);

  return {
    items: users,
+    canAdd: !oidcConfig || !oidcConfig.isEnforced,
  };
 };

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -50,6 +50,7 @@ services:
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
+      # - OIDC_ENFORCED=true

      # - SLACK_BOT_TOKEN=xoxb-xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx
      # - SLACK_CHANNEL_ID=xxxxxxxxxx
--- a/server/.env.sample
+++ b/server/.env.sample
@ -33,6 +33,7 @@ SECRET_KEY=notsecretkey
 # OIDC_ROLES_ATTRIBUTE=groups
 # OIDC_IGNORE_USERNAME=true
 # OIDC_IGNORE_ROLES=true
+# OIDC_ENFORCED=true

 ## Do not edit this

--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -46,8 +46,11 @@ module.exports = {
  },

  async fn(inputs) {
-    const remoteAddress = getRemoteAddress(this.req);
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.USE_SINGLE_SIGN_ON;
+    }

+    const remoteAddress = getRemoteAddress(this.req);
    const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);

    if (!user) {
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -10,6 +10,7 @@ module.exports = {
          response_mode: 'fragment',
        }),
        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
+        isEnforced: sails.config.custom.oidcEnforced,
      };
    }

--- a/server/api/controllers/users/create.js
+++ b/server/api/controllers/users/create.js
@ -1,6 +1,9 @@
 const zxcvbn = require('zxcvbn');

 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
  EMAIL_ALREADY_IN_USE: {
    emailAlreadyInUse: 'Email already in use',
  },
@ -56,6 +59,9 @@ module.exports = {
  },

  exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
    emailAlreadyInUse: {
      responseType: 'conflict',
    },
@ -65,6 +71,10 @@ module.exports = {
  },

  async fn(inputs) {
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.NOT_ENOUGH_RIGHTS;
+    }
+
    const values = _.pick(inputs, [
      'email',
      'password',
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -44,6 +44,7 @@ module.exports.custom = {
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',
  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
+  oidcEnforced: process.env.OIDC_ENFORCED === 'true',

  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${