Enable toggling of the direct login feature in the superuser panel
Allows superusers to disable login to the UI via credentials if at least one OIDC provider is configured
This commit is contained in:
Joseph Schorr
parent
8e8470890a
commit
2b9873483a
6 changed files with 142 additions and 53 deletions
22
util/config/validators/validate_access.py
Normal file
22
util/config/validators/validate_access.py
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
from app import app
|
||||
from util.config.validators import BaseValidator, ConfigValidationException
|
||||
from oauth.loginmanager import OAuthLoginManager
|
||||
from oauth.oidc import OIDCLoginService
|
||||
|
||||
class AccessSettingsValidator(BaseValidator):
|
||||
name = "access"
|
||||
|
||||
@classmethod
|
||||
def validate(cls, config, user, user_password):
|
||||
if not config.get('FEATURE_DIRECT_LOGIN', True):
|
||||
# Make sure we have at least one OIDC enabled.
|
||||
github_login = config.get('FEATURE_GITHUB_LOGIN', False)
|
||||
google_login = config.get('FEATURE_GOOGLE_LOGIN', False)
|
||||
|
||||
client = app.config['HTTPCLIENT']
|
||||
login_manager = OAuthLoginManager(config, client=client)
|
||||
custom_oidc = [s for s in login_manager.services if isinstance(s, OIDCLoginService)]
|
||||
|
||||
if not github_login and not google_login and not custom_oidc:
|
||||
msg = 'Cannot disable credentials login to UI without configured OIDC service'
|
||||
raise ConfigValidationException(msg)
|
||||
Reference in a new issue