karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
60c5fa22ca4c30c3e4dd045ea2505a1d5a237df4
nix/packages/comentario/superuser-claim.patch
Nikolaos Karaolidis 9764e4ebbf Add comentario 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-10 21:56:15 +01:00

210 lines
14 KiB
Diff
Raw Blame History

diff --git a/cypress/e2e/frontend/manage/config/config-manager.cy.ts b/cypress/e2e/frontend/manage/config/config-manager.cy.ts
index b4e3d94b..4ecccf7b 100644
--- a/cypress/e2e/frontend/manage/config/config-manager.cy.ts
+++ b/cypress/e2e/frontend/manage/config/config-manager.cy.ts
@@ -143,6 +143,7 @@ context('Config Manager', () => {
['New commenters must confirm their email', ''],
['New users must confirm their email', '✔'],
['Enable registration of new users', '✔'],
+ ['Enable registration of new users via SSO', '✔'],
['Show login dialog for unauthenticated users', '✔'],
['Enable commenter registration via external provider', '✔'],
['Enable local commenter registration', '✔'],
@@ -182,6 +183,7 @@ context('Config Manager', () => {
cy.get('@configEdit').find('#auth_signup_confirm_commenter') .should('not.be.checked').clickLabel().should('be.checked');
cy.get('@configEdit').find('#auth_signup_confirm_user') .should('be.checked') .clickLabel().should('not.be.checked');
cy.get('@configEdit').find('#auth_signup_enabled') .should('be.checked') .clickLabel().should('not.be.checked');
+ cy.get('@configEdit').find('#auth_signup_sso_enabled') .should('be.checked') .clickLabel().should('not.be.checked');
cy.get('@configEdit').find('#domain_defaults_comments_deletion_author') .should('be.checked') .clickLabel().should('not.be.checked');
cy.get('@configEdit').find('#domain_defaults_comments_deletion_moderator').should('be.checked') .clickLabel().should('not.be.checked');
cy.get('@configEdit').find('#domain_defaults_comments_editing_author') .should('be.checked') .clickLabel().should('not.be.checked');
@@ -219,6 +221,7 @@ context('Config Manager', () => {
['New commenters must confirm their email', '✔'],
['New users must confirm their email', ''],
['Enable registration of new users', ''],
+ ['Enable registration of new users via SSO', ''],
['Show login dialog for unauthenticated users', ''],
['Enable commenter registration via external provider', ''],
['Enable local commenter registration', '✔'],
@@ -283,6 +286,7 @@ context('Config Manager', () => {
[InstanceConfigKey.authSignupConfirmCommenter]: false,
[InstanceConfigKey.authSignupConfirmUser]: false,
[InstanceConfigKey.authSignupEnabled]: false,
+ [InstanceConfigKey.authSsoSignupEnabled]: false,
[InstanceConfigKey.domainDefaultsCommentDeletionAuthor]: false,
[InstanceConfigKey.domainDefaultsCommentDeletionModerator]: true,
[InstanceConfigKey.domainDefaultsCommentEditingAuthor]: true,
@@ -311,6 +315,7 @@ context('Config Manager', () => {
['New commenters must confirm their email', ''],
['New users must confirm their email', ''],
['Enable registration of new users', ''],
+ ['Enable registration of new users via SSO', ''],
['Show login dialog for unauthenticated users', ''],
['Enable commenter registration via external provider', ''],
['Enable local commenter registration', ''],
diff --git a/cypress/support/cy-utils.ts b/cypress/support/cy-utils.ts
index 4775dce0..c0a87913 100644
--- a/cypress/support/cy-utils.ts
+++ b/cypress/support/cy-utils.ts
@@ -199,6 +199,7 @@ export enum InstanceConfigKey {
authSignupConfirmCommenter = 'auth.signup.confirm.commenter',
authSignupConfirmUser = 'auth.signup.confirm.user',
authSignupEnabled = 'auth.signup.enabled',
+ authSsoSignupEnabled = 'auth.signup.sso.enabled',
integrationsUseGravatar = 'integrations.useGravatar',
operationNewOwnerEnabled = 'operation.newOwner.enabled',
// Domain defaults
diff --git a/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md b/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md
index 35acc2ba..9427c016 100644
--- a/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md
+++ b/docs/content/configuration/backend/dynamic/auth.signup.enabled.en.md
@@ -7,6 +7,7 @@ tags:
- administration
- Administration UI
seeAlso:
+ - auth.signup.sso.enabled
- domain.defaults.signup.enablefederated
- domain.defaults.signup.enablelocal
- domain.defaults.signup.enablesso
diff --git a/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md b/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md
new file mode 100644
index 00000000..66748b51
--- /dev/null
+++ b/docs/content/configuration/backend/dynamic/auth.signup.sso.enabled.en.md
@@ -0,0 +1,23 @@
+---
+title: Enable registration of new users via SSO
+description: auth.signup.sso.enabled
+tags:
+ - configuration
+ - dynamic configuration
+ - administration
+ - Administration UI
+seeAlso:
+ - auth.signup.enabled
+ - domain.defaults.signup.enablefederated
+ - domain.defaults.signup.enablelocal
+ - domain.defaults.signup.enablesso
+---
+
+This [dynamic configuration](/configuration/backend/dynamic) parameter controls whether new users are allowed to register in the Administration UI of Comentario via SSO.
+
+<!--more-->
+
+* If set to `On`, new users can register in the Administration UI via SSO.
+* If set to `Off`, new user registrations via SSO are forbidden.
+
+This setting applies only to the Administration UI.
diff --git a/e2e/plugin/db-seed.sql b/e2e/plugin/db-seed.sql
index 1e02e554..69aaec98 100644
--- a/e2e/plugin/db-seed.sql
+++ b/e2e/plugin/db-seed.sql
@@ -5,6 +5,7 @@ values
('auth.signup.confirm.commenter', 'false', '0001-01-01 00:00:00.000000'),
('auth.signup.confirm.user', 'true', '0001-01-01 00:00:00.000000'),
('auth.signup.enabled', 'true', '0001-01-01 00:00:00.000000'),
+ ('auth.signup.sso.enabled', 'true', '0001-01-01 00:00:00.000000'),
('domain.defaults.comments.deletion.author', 'true', '0001-01-01 00:00:00.000000'),
('domain.defaults.comments.deletion.moderator', 'true', '0001-01-01 00:00:00.000000'),
('domain.defaults.comments.editing.author', 'true', '0001-01-01 00:00:00.000000'),
diff --git a/frontend/app/_models/config.ts b/frontend/app/_models/config.ts
index 11ddd516..0ded8049 100644
--- a/frontend/app/_models/config.ts
+++ b/frontend/app/_models/config.ts
@@ -30,6 +30,7 @@ export enum InstanceConfigItemKey {
authSignupConfirmCommenter = 'auth.signup.confirm.commenter',
authSignupConfirmUser = 'auth.signup.confirm.user',
authSignupEnabled = 'auth.signup.enabled',
+ authSsoSignupEnabled = 'auth.signup.sso.enabled',
integrationsUseGravatar = 'integrations.useGravatar',
operationNewOwnerEnabled = 'operation.newOwner.enabled',
// Domain defaults
diff --git a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts
index b282586c..1eaf1085 100644
--- a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts
+++ b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.spec.ts
@@ -21,6 +21,7 @@ describe('DynConfigItemNamePipe', () => {
{in: 'auth.signup.confirm.commenter', want: 'New commenters must confirm their email'},
{in: 'auth.signup.confirm.user', want: 'New users must confirm their email'},
{in: 'auth.signup.enabled', want: 'Enable registration of new users'},
+ {in: 'auth.signup.sso.enabled', want: 'Enable registration of new users via SSO' },
{in: 'integrations.useGravatar', want: 'Use Gravatar for user avatars'},
{in: 'operation.newOwner.enabled', want: 'Non-owner users can add domains'},
// Domain defaults
diff --git a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts
index 7d3dc792..723e8149 100644
--- a/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts
+++ b/frontend/app/_modules/manage/_pipes/dyn-config-item-name.pipe.ts
@@ -12,6 +12,7 @@ export class DynConfigItemNamePipe implements PipeTransform {
[InstanceConfigItemKey.authSignupConfirmCommenter]: $localize`New commenters must confirm their email`,
[InstanceConfigItemKey.authSignupConfirmUser]: $localize`New users must confirm their email`,
[InstanceConfigItemKey.authSignupEnabled]: $localize`Enable registration of new users`,
+ [InstanceConfigItemKey.authSsoSignupEnabled]: $localize`Enable registration of new users via SSO`,
[InstanceConfigItemKey.integrationsUseGravatar]: $localize`Use Gravatar for user avatars`,
[InstanceConfigItemKey.operationNewOwnerEnabled]: $localize`Non-owner users can add domains`,
// Domain defaults
diff --git a/internal/api/restapi/handlers/oauth.go b/internal/api/restapi/handlers/oauth.go
index 0d8cd282..01324302 100644
--- a/internal/api/restapi/handlers/oauth.go
+++ b/internal/api/restapi/handlers/oauth.go
@@ -220,7 +220,7 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re
var cfgItem *data.DynConfigItem
if domain == nil {
// Frontend signup
- cfgItem, err = svc.Services.DynConfigService().Get(data.ConfigKeyAuthSignupEnabled)
+ cfgItem, err = svc.Services.DynConfigService().Get(data.ConfigKeyAuthSsoSignupEnabled)
} else if sso {
// SSO embed signup
@@ -248,9 +248,18 @@ func AuthOauthCallback(params api_general.AuthOauthCallbackParams) middleware.Re
return errors.New(errMessage)
}
+ // Check if the superuser claim is set
+ superuser := false
+ if raw, ok := fedUser.RawData[config.ServerConfig.SuperuserClaim]; ok {
+ if isAdmin, ok := raw.(bool); ok && isAdmin {
+ superuser = true
+ }
+ }
+
// Insert a new user
user = data.NewUser(fedUser.Email, fedUserName).
WithConfirmed(true). // Confirm the user right away as we trust the IdP
+ WithSuperuser(superuser).
WithLangFromReq(params.HTTPRequest).
WithSignup(params.HTTPRequest, authSession.Host, !config.ServerConfig.LogFullIPs).
WithFederated(fedUser.UserID, idpID).
diff --git a/internal/config/config.go b/internal/config/config.go
index e1292447..1715a7f6 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -36,6 +36,7 @@ type ServerConfiguration struct {
TemplatePath string `long:"template-path" description:"Path to template files" default:"./templates" env:"TEMPLATE_PATH"`
SecretsFile string `long:"secrets" description:"Path to YAML file with secrets" default:"secrets.yaml" env:"SECRETS_FILE"`
Superuser string `long:"superuser" description:"ID or email of user to be made superuser" default:"" env:"SUPERUSER"`
+ SuperuserClaim string `long:"superuser-claim" description:"Name of the OIDC claim for superusers" default:"is_superuser" env:"SUPERUSER_CLAIM"`
LogFullIPs bool `long:"log-full-ips" description:"Log IP addresses in full" env:"LOG_FULL_IPS"`
HomeContentURL string `long:"home-content-url" description:"URL of a HTML page to display on homepage" env:"HOME_CONTENT_URL"`
GitLabURL string `long:"gitlab-url" description:"Custom GitLab URL for authentication" default:"" env:"GITLAB_URL"`
diff --git a/internal/data/dyn_config.go b/internal/data/dyn_config.go
index 8595ea2a..621fd132 100644
--- a/internal/data/dyn_config.go
+++ b/internal/data/dyn_config.go
@@ -170,6 +170,7 @@ const (
ConfigKeyAuthSignupConfirmCommenter DynConfigItemKey = "auth.signup.confirm.commenter"
ConfigKeyAuthSignupConfirmUser DynConfigItemKey = "auth.signup.confirm.user"
ConfigKeyAuthSignupEnabled DynConfigItemKey = "auth.signup.enabled"
+ ConfigKeyAuthSsoSignupEnabled DynConfigItemKey = "auth.signup.sso.enabled"
ConfigKeyIntegrationsUseGravatar DynConfigItemKey = "integrations.useGravatar"
ConfigKeyOperationNewOwnerEnabled DynConfigItemKey = "operation.newOwner.enabled"
)
@@ -203,6 +204,7 @@ var DefaultDynInstanceConfig = DynConfigMap{
ConfigKeyAuthSignupConfirmCommenter: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
ConfigKeyAuthSignupConfirmUser: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
ConfigKeyAuthSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
+ ConfigKeyAuthSsoSignupEnabled: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionAuth},
ConfigKeyIntegrationsUseGravatar: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionIntegrations},
ConfigKeyOperationNewOwnerEnabled: {DefaultValue: "false", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionMisc},
ConfigKeyDomainDefaultsPrefix + DomainConfigKeyCommentDeletionAuthor: {DefaultValue: "true", Datatype: ConfigDatatypeBool, Section: DynConfigItemSectionComments},
Reference in New Issue View Git Blame Copy Permalink