Add a keepSsoRegistrationEnabled admin setting - Closes #317

2024-03-08 15:05:49 +01:00 · 2024-03-08 15:05:49 +01:00 · e6d201d882
parent 1a26c75325
commit e6d201d882
5 changed files with 43 additions and 7 deletions
--- a/app/Http/Controllers/Auth/SocialiteController.php
+++ b/app/Http/Controllers/Auth/SocialiteController.php
@ -57,7 +57,7 @@ class SocialiteController extends Controller
                return redirect('/error?err=sso_email_already_used');
            } elseif (User::count() === 0) {
                $user->promoteToAdministrator();
-            } elseif (Settings::get('disableRegistration')) {
+            } elseif (Settings::get('disableRegistration') && ! Settings::get('keepSsoRegistrationEnabled')) {
                return redirect('/error?err=sso_no_register');
            }
            $user->password = bcrypt(Str::random());
--- a/config/2fauth.php
+++ b/config/2fauth.php
@ -75,6 +75,7 @@ return [
        'disableRegistration' => false,
        'enableSso' => true,
        'restrictRegistration' => false,
+        'keepSsoRegistrationEnabled' => false,
    ],

    /*
--- a/resources/js/views/admin/AppSetup.vue
+++ b/resources/js/views/admin/AppSetup.vue
@ -29,6 +29,7 @@
        restrictList: appSettings.restrictList,
        restrictRule: appSettings.restrictRule,
        disableRegistration: appSettings.disableRegistration,
+        keepSsoRegistrationEnabled: appSettings.keepSsoRegistrationEnabled,
        enableSso: appSettings.enableSso,
    })

@ -171,6 +172,8 @@
                    <!-- protect db -->
                    <FormCheckbox v-model="_settings.useEncryption" @update:model-value="val => saveSetting('useEncryption', val)" fieldName="useEncryption" label="admin.forms.use_encryption.label" help="admin.forms.use_encryption.help" />
                    <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('admin.registrations') }}</h4>
+                    <!-- disable SSO registration -->
+                    <FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
                    <!-- restrict registration -->
                    <FormCheckbox v-model="_settings.restrictRegistration" @update:model-value="val => saveSetting('restrictRegistration', val)" fieldName="restrictRegistration" :isDisabled="appSettings.disableRegistration" label="admin.forms.restrict_registration.label" help="admin.forms.restrict_registration.help" />
                        <!-- restrict list -->
@ -179,8 +182,8 @@
                        <FormField v-model="_settings.restrictRule" @change:model-value="val => saveOrDeleteSetting('restrictRule', val)" :fieldError="fieldErrors.restrictRule" fieldName="restrictRule" :isDisabled="!appSettings.restrictRegistration || appSettings.disableRegistration" label="admin.forms.restrict_rule.label" help="admin.forms.restrict_rule.help" :isIndented="true" leftIcon="slash" rightIcon="slash" />
                    <!-- disable registration -->
                    <FormCheckbox v-model="_settings.disableRegistration" @update:model-value="val => saveSetting('disableRegistration', val)" fieldName="disableRegistration" label="admin.forms.disable_registration.label" help="admin.forms.disable_registration.help" />
-                    <!-- disable SSO registration -->
-                    <FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
+                        <!-- keep sso registration -->
+                        <FormCheckbox v-model="_settings.keepSsoRegistrationEnabled" @change:model-value="val => saveOrDeleteSetting('keepSsoRegistrationEnabled', val)" :fieldError="fieldErrors.keepSsoRegistrationEnabled" fieldName="keepSsoRegistrationEnabled" :isDisabled="!appSettings.enableSso || !appSettings.disableRegistration" label="admin.forms.keep_sso_registration_enabled.label" help="admin.forms.keep_sso_registration_enabled.help" :isIndented="true" />
                </form>

                <h4 class="title is-4 pt-5 has-text-grey-light">{{ $t('commons.environment') }}</h4>
--- a/resources/lang/en/admin.php
+++ b/resources/lang/en/admin.php
@ -76,7 +76,7 @@ return [
        ],
        'restrict_registration' => [
            'label' => 'Restrict registration',
-            'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously.',
+            'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously. This has no effect on registration via SSO.',
        ],
        'restrict_list' => [
            'label' => 'Filtering list',
@ -88,12 +88,16 @@ return [
        ],
        'disable_registration' => [
            'label' => 'Disable registration',
-            'help' => 'Prevent new user registration. This affects SSO as well, so new SSO users won\'t be able to sign on',
+            'help' => 'Prevent new user registration. Unless overridden (see below), this affects SSO as well, so new users won\'t be able to sign in via SSO',
        ],
        'enable_sso' => [
            'label' => 'Enable Single Sign-On (SSO)',
            'help' => 'Allow visitors to authenticate using an external ID via the Single Sign-On scheme',
        ],
+        'keep_sso_registration_enabled' => [
+            'label' => 'Keep SSO registration enabled',
+            'help' => 'Allow new users to sign in for the first time via SSO whereas registration is disabled',
+        ],
        'is_admin' => [
            'label' => 'Is administrator',
            'help' => 'Give administrator rights to the user. Administrators have permissions to manage the whole app, i.e. settings and other users, but cannot generate password for a 2FA they don\'t own.'
--- a/tests/Feature/Http/Auth/SocialiteControllerTest.php
+++ b/tests/Feature/Http/Auth/SocialiteControllerTest.php
@ -253,9 +253,10 @@ class SocialiteControllerTest extends FeatureTestCase
    /**
     * @test
     */
-    public function test_callback_returns_error_when_registrations_are_closed()
+    public function test_callback_redirects_to_error_when_registrations_are_closed()
    {
        Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', false);

        $newSocialiteUser        = new \Laravel\Socialite\Two\User;
        $newSocialiteUser->id    = 'rejected_id';
@ -273,9 +274,10 @@ class SocialiteControllerTest extends FeatureTestCase
    /**
     * @test
     */
-    public function test_callback_skips_registration_when_registrations_are_closed()
+    public function test_callback_skips_registration_when_all_registrations_are_closed()
    {
        Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', false);

        $newSocialiteUser        = new \Laravel\Socialite\Two\User;
        $newSocialiteUser->id    = 'rejected_id';
@ -292,4 +294,30 @@ class SocialiteControllerTest extends FeatureTestCase
            'oauth_provider' => self::USER_OAUTH_PROVIDER,
        ]);
    }
+
+    /**
+     * @test
+     */
+    public function test_callback_registers_new_user_when_sso_registrations_are_enabled()
+    {
+        Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', true);
+
+        $newSocialiteUser        = new \Laravel\Socialite\Two\User;
+        $newSocialiteUser->id    = 'new_id';
+        $newSocialiteUser->name  = 'jane';
+        $newSocialiteUser->email = 'jane@provider.com';
+
+        Socialite::shouldReceive('driver->user')
+            ->andReturn($newSocialiteUser);
+
+        $response = $this->get('/socialite/callback/github', ['driver' => 'github']);
+
+        $this->assertDatabaseHas('users', [
+            'oauth_id'       => 'new_id',
+            'oauth_provider' => self::USER_OAUTH_PROVIDER,
+            'email'          => 'jane@provider.com',
+            'is_admin'       => 0,
+        ]);
+    }
 }