diff --git a/cypress/e2e/frontend/manage/config/config-manager.cy.ts b/cypress/e2e/frontend/manage/config/config-manager.cy.ts index b4e3d94b..4ecccf7b 100644 --- a/cypress/e2e/frontend/manage/config/config-manager.cy.ts +++ b/cypress/e2e/frontend/manage/config/config-manager.cy.ts @@ -143,6 +143,7 @@ context('Config Manager', () => { ['New commenters must confirm their email', ''], ['New users must confirm their email', '✔'], ['Enable registration of new users', '✔'], + ['Enable registration of new users via SSO', '✔'], ['Show login dialog for unauthenticated users', '✔'], ['Enable commenter registration via external provider', '✔'], ['Enable local commenter registration', '✔'], @@ -182,6 +183,7 @@ context('Config Manager', () => { cy.get('@configEdit').find('#auth_signup_confirm_commenter') .should('not.be.checked').clickLabel().should('be.checked'); cy.get('@configEdit').find('#auth_signup_confirm_user') .should('be.checked') .clickLabel().should('not.be.checked'); cy.get('@configEdit').find('#auth_signup_enabled') .should('be.checked') .clickLabel().should('not.be.checked'); + cy.get('@configEdit').find('#auth_signup_sso_enabled') .should('be.checked') .clickLabel().should('not.be.checked'); cy.get('@configEdit').find('#domain_defaults_comments_deletion_author') .should('be.checked') .clickLabel().should('not.be.checked'); cy.get('@configEdit').find('#domain_defaults_comments_deletion_moderator').should('be.checked') .clickLabel().should('not.be.checked'); cy.get('@configEdit').find('#domain_defaults_comments_editing_author') .should('be.checked') .clickLabel().should('not.be.checked'); @@ -219,6 +221,7 @@ context('Config Manager', () => { ['New commenters must confirm their email', '✔'], ['New users must confirm their email', ''], ['Enable registration of new users', ''], + ['Enable registration of new users via SSO', ''], ['Show login dialog for unauthenticated users', ''], ['Enable commenter registration via external provider', ''], ['Enable local commenter registration', '✔'], @@ -283,6 +286,7 @@ context('Config Manager', () => { [InstanceConfigKey.authSignupConfirmCommenter]: false, [InstanceConfigKey.authSignupConfirmUser]: false, [InstanceConfigKey.authSignupEnabled]: false, + [InstanceConfigKey.authSsoSignupEnabled]: false, [InstanceConfigKey.domainDefaultsCommentDeletionAuthor]: false, [InstanceConfigKey.domainDefaultsCommentDeletionModerator]: true, [InstanceConfigKey.domainDefaultsCommentEditingAuthor]: true, @@ -311,6 +315,7 @@ context('Config Manager', () => { ['New commenters must confirm their email', ''], ['New users must confirm their email', ''], ['Enable registration of new users', ''], + ['Enable registration of new users via SSO', ''], ['Show login dialog for unauthenticated users', ''], ['Enable commenter registration via external provider', ''], ['Enable local commenter registration', ''], diff --git a/cypress/support/cy-utils.ts b/cypress/support/cy-utils.ts index 4775dce0..c0a87913 100644 --- a/cypress/support/cy-utils.ts +++ b/cypress/support/cy-utils.ts @@ -199,6 +199,7 @@ export enum InstanceConfigKey { authSignupConfirmCommenter = 'auth.signup.confirm.commenter', authSignupConfirmUser = 'auth.signup.confirm.user', authSignupEnabled = 'auth.signup.enabled', + authSsoSignupEnabled = 'auth.signup.sso.enabled', integrationsUseGravatar = 'integrations.useGravatar', operationNewOwnerEnabled = 'operation.newOwner.enabled', // Domain defaults diff --git a/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md b/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md index 35acc2ba..9427c016 100644 --- a/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md +++ b/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md @@ -7,6 +7,7 @@ tags: - administration - Administration UI seeAlso: + - auth.signup.sso.enabled - domain.defaults.signup.enablefederated - domain.defaults.signup.enablelocal - domain.defaults.signup.enablesso diff --git a/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md b/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md new file mode 100644 index 00000000..66748b51 --- /dev/null +++ b/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md @@ -0,0 +1,23 @@ +--- +title: Enable registration of new users via SSO +description: auth.signup.sso.enabled +tags: + - configuration + - dynamic configuration + - administration + - Administration UI +seeAlso: + - auth.signup.enabled + - domain.defaults.signup.enablefederated + - domain.defaults.signup.enablelocal + - domain.defaults.signup.enablesso +--- + +This [dynamic configuration](/configuration/backend/dynamic) parameter controls whether new users are allowed to register in the Administration UI of Comentario via SSO. + + + +* If set to `On`, new users can register in the Administration UI via SSO. +* If set to `Off`, new user registrations via SSO are forbidden. + +This setting applies only to the Administration UI. diff --git a/e2e/plugin/db-seed.sql b/e2e/plugin/db-seed.sql index 1e02e554..69aaec98 100644 --- a/e2e/plugin/db-seed.sql +++ b/e2e/plugin/db-seed.sql @@ -5,6 +5,7 @@ values ('auth.signup.confirm.commenter', 'false', '0001-01-01 00:00:00.000000'), ('auth.signup.confirm.user', 'true', '0001-01-01 00:00:00.000000'), ('auth.signup.enabled', 'true', '0001-01-01 00:00:00.000000'), + ('auth.signup.sso.enabled', 'true', '0001-01-01 00:00:00.000000'), ('domain.defaults.comments.deletion.author', 'true', '0001-01-01 00:00:00.000000'), ('domain.defaults.comments.deletion.moderator', 'true', '0001-01-01 00:00:00.000000'), ('domain.defaults.comments.editing.author', 'true', '0001-01-01 00:00:00.000000'), diff --git a/frontend/app/_models/config.ts b/frontend/app/_models/config.ts index 11ddd516..0ded8049 100644 --- a/frontend/app/_models/config.ts +++ b/frontend/app/_models/config.ts @@ -30,6 +30,7 @@ export enum InstanceConfigItemKey { authSignupConfirmCommenter = 'auth.signup.confirm.commenter', authSignupConfirmUser = 'auth.signup.confirm.user', authSignupEnabled = 'auth.signup.enabled', + authSsoSignupEnabled = 'auth.signup.sso.enabled', integrationsUseGravatar = 'integrations.useGravatar', operationNewOwnerEnabled = 'operation.newOwner.enabled', // Domain defaults diff --git a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts index b282586c..1eaf1085 100644 --- a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts +++ b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts @@ -21,6 +21,7 @@ describe('DynConfigItemNamePipe', () => { {in: 'auth.signup.confirm.commenter', want: 'New commenters must confirm their email'}, {in: 'auth.signup.confirm.user', want: 'New users must confirm their email'}, {in: 'auth.signup.enabled', want: 'Enable registration of new users'}, + {in: 'auth.signup.sso.enabled', want: 'Enable registration of new users via SSO' }, {in: 'integrations.useGravatar', want: 'Use Gravatar for user avatars'}, {in: 'operation.newOwner.enabled', want: 'Non-owner users can add domains'}, // Domain defaults diff --git a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts index 7d3dc792..723e8149 100644 --- a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts +++ b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts @@ -12,6 +12,7 @@ export class DynConfigItemNamePipe implements PipeTransform { [InstanceConfigItemKey.authSignupConfirmCommenter]: $localize`New commenters must confirm their email`, [InstanceConfigItemKey.authSignupConfirmUser]: $localize`New users must confirm their email`, [InstanceConfigItemKey.authSignupEnabled]: $localize`Enable registration of new users`, + [InstanceConfigItemKey.authSsoSignupEnabled]: $localize`Enable registration of new users via SSO`, [InstanceConfigItemKey.integrationsUseGravatar]: $localize`Use Gravatar for user avatars`, [InstanceConfigItemKey.operationNewOwnerEnabled]: $localize`Non-owner users can add domains`, // Domain defaults diff --git a/internal/api/restapi/handlers/oauth.go b/internal/api/restapi/handlers/oauth.go index 0d8cd282..01324302 100644 --- a/internal/api/restapi/handlers/oauth.go +++ b/internal/api/restapi/handlers/oauth.go @@ -220,7 +220,7 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re var cfgItem *data.DynConfigItem if domain == nil { // Frontend signup - cfgItem, err = svc.Services.DynConfigService().Get(data.ConfigKeyAuthSignupEnabled) + cfgItem, err = svc.Services.DynConfigService().Get(data.ConfigKeyAuthSsoSignupEnabled) } else if sso { // SSO embed signup @@ -248,9 +248,18 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re return errors.New(errMessage) } + // Check if the superuser claim is set + superuser := false + if raw, ok := fedUser.RawData[config.ServerConfig.SuperuserClaim]; ok { + if isAdmin, ok := raw.(bool); ok && isAdmin { + superuser = true + } + } + // Insert a new user user = data.NewUser(fedUser.Email, fedUserName). WithConfirmed(true). // Confirm the user right away as we trust the IdP + WithSuperuser(superuser). WithLangFromReq(params.HTTPRequest). WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.LogFullIPs). WithFederated(fedUser.UserID, idpID). diff --git a/internal/config/config.go b/internal/config/config.go index e1292447..1715a7f6 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -36,6 +36,7 @@ type ServerConfiguration struct { TemplatePath string `long:"template-path" description:"Path to template files" default:"./templates" env:"TEMPLATE_PATH"` SecretsFile string `long:"secrets" description:"Path to YAML file with secrets" default:"secrets.yaml" env:"SECRETS_FILE"` Superuser string `long:"superuser" description:"ID or email of user to be made superuser" default:"" env:"SUPERUSER"` + SuperuserClaim string `long:"superuser-claim" description:"Name of the OIDC claim for superusers" default:"is_superuser" env:"SUPERUSER_CLAIM"` LogFullIPs bool `long:"log-full-ips" description:"Log IP addresses in full" env:"LOG_FULL_IPS"` HomeContentURL string `long:"home-content-url" description:"URL of a HTML page to display on homepage" env:"HOME_CONTENT_URL"` GitLabURL string `long:"gitlab-url" description:"Custom GitLab URL for authentication" default:"" env:"GITLAB_URL"` diff --git a/internal/data/dyn_config.go b/internal/data/dyn_config.go index 8595ea2a..621fd132 100644 --- a/internal/data/dyn_config.go +++ b/internal/data/dyn_config.go @@ -170,6 +170,7 @@ const ( ConfigKeyAuthSignupConfirmCommenter DynConfigItemKey = "auth.signup.confirm.commenter" ConfigKeyAuthSignupConfirmUser DynConfigItemKey = "auth.signup.confirm.user" ConfigKeyAuthSignupEnabled DynConfigItemKey = "auth.signup.enabled" + ConfigKeyAuthSsoSignupEnabled DynConfigItemKey = "auth.signup.sso.enabled" ConfigKeyIntegrationsUseGravatar DynConfigItemKey = "integrations.useGravatar" ConfigKeyOperationNewOwnerEnabled DynConfigItemKey = "operation.newOwner.enabled" ) @@ -203,6 +204,7 @@ var DefaultDynInstanceConfig = DynConfigMap{ ConfigKeyAuthSignupConfirmCommenter: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, ConfigKeyAuthSignupConfirmUser: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, ConfigKeyAuthSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, + ConfigKeyAuthSsoSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth}, ConfigKeyIntegrationsUseGravatar: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionIntegrations}, ConfigKeyOperationNewOwnerEnabled: {DefaultValue: "false", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionMisc}, ConfigKeyDomainDefaultsPrefix + DomainConfigKeyCommentDeletionAuthor: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionComments},