Add admin panel option to enable/disable SSO only mode (#740)

MbinOrg · May 4, 2024 · f517e4a · f517e4a
1 parent ade6907
commit f517e4a
Show file tree

Hide file tree

Showing 11 changed files with 31 additions and 8 deletions.
diff --git a/config/services.yaml b/config/services.yaml
@@ -160,6 +160,7 @@ services:
             $kbinCaptchaEnabled: "%env(bool:KBIN_CAPTCHA_ENABLED)%"
             $kbinFederationPageEnabled: "%env(bool:KBIN_FEDERATION_PAGE_ENABLED)%"
             $kbinAdminOnlyOauthClients: "%env(bool:KBIN_ADMIN_ONLY_OAUTH_CLIENTS)%"
+            $mbinSsoOnlyMode: "%sso_only_mode%"
 
     # Markdown
     App\Markdown\Factory\EnvironmentFactory:

diff --git a/src/Controller/Security/LoginController.php b/src/Controller/Security/LoginController.php
@@ -24,7 +24,7 @@ public function __invoke(AuthenticationUtils $utils, Request $request): Response
         $error = $utils->getLastAuthenticationError();
         $lastUsername = $utils->getLastUsername();
 
-        return $this->render('user/login.html.twig', ['last_username' => $lastUsername, 'error' => $error, 'not_sso_only_mode' => !$this->getParameter('sso_only_mode')]);
+        return $this->render('user/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]);
     }
 
     public function consent(Request $request, EntityManagerInterface $entityManager): Response

diff --git a/src/Controller/Security/RegisterController.php b/src/Controller/Security/RegisterController.php
@@ -7,18 +7,23 @@
 use App\Controller\AbstractController;
 use App\Form\UserRegisterType;
 use App\Service\IpResolver;
+use App\Service\SettingsManager;
 use App\Service\UserManager;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
 class RegisterController extends AbstractController
 {
-    public function __invoke(
-        UserManager $manager,
-        Request $request,
-        IpResolver $ipResolver
-    ): Response {
-        if ($this->getParameter('sso_only_mode')) {
+    public function __construct(
+        private readonly UserManager $manager,
+        private readonly IpResolver $ipResolver,
+        private readonly SettingsManager $settingsManager,
+    ) {
+    }
+
+    public function __invoke(Request $request): Response
+    {
+        if (true === $this->settingsManager->get('MBIN_SSO_ONLY_MODE')) {
             return $this->redirectToRoute('app_login');
         }
 

diff --git a/src/DTO/SettingsDto.php b/src/DTO/SettingsDto.php
@@ -29,6 +29,7 @@ public function __construct(
         public bool $KBIN_MERCURE_ENABLED,
         public bool $KBIN_FEDERATION_PAGE_ENABLED,
         public bool $KBIN_ADMIN_ONLY_OAUTH_CLIENTS,
+        public bool $MBIN_SSO_ONLY_MODE,
         public bool $MBIN_PRIVATE_INSTANCE,
         public bool $KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN,
         public bool $MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY,
@@ -57,6 +58,7 @@ public function mergeIntoDto(SettingsDto $dto): SettingsDto
         $dto->KBIN_MERCURE_ENABLED = $this->KBIN_MERCURE_ENABLED ?? $dto->KBIN_MERCURE_ENABLED;
         $dto->KBIN_FEDERATION_PAGE_ENABLED = $this->KBIN_FEDERATION_PAGE_ENABLED ?? $dto->KBIN_FEDERATION_PAGE_ENABLED;
         $dto->KBIN_ADMIN_ONLY_OAUTH_CLIENTS = $this->KBIN_ADMIN_ONLY_OAUTH_CLIENTS ?? $dto->KBIN_ADMIN_ONLY_OAUTH_CLIENTS;
+        $dto->MBIN_SSO_ONLY_MODE = $this->MBIN_SSO_ONLY_MODE ?? $dto->MBIN_SSO_ONLY_MODE;
         $dto->MBIN_PRIVATE_INSTANCE = $this->MBIN_PRIVATE_INSTANCE ?? $dto->MBIN_PRIVATE_INSTANCE;
         $dto->KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN = $this->KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN ?? $dto->KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN;
         $dto->MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY = $this->MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY ?? $dto->MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY;
@@ -87,6 +89,7 @@ public function jsonSerialize(): mixed
             'KBIN_MERCURE_ENABLED' => $this->KBIN_MERCURE_ENABLED,
             'KBIN_FEDERATION_PAGE_ENABLED' => $this->KBIN_FEDERATION_PAGE_ENABLED,
             'KBIN_ADMIN_ONLY_OAUTH_CLIENTS' => $this->KBIN_ADMIN_ONLY_OAUTH_CLIENTS,
+            'MBIN_SSO_ONLY_MODE' => $this->MBIN_SSO_ONLY_MODE,
             'MBIN_PRIVATE_INSTANCE' => $this->MBIN_PRIVATE_INSTANCE,
             'KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN' => $this->KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN,
             'MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY' => $this->MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY,

diff --git a/src/Form/SettingsType.php b/src/Form/SettingsType.php
@@ -36,6 +36,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
             ->add('KBIN_MERCURE_ENABLED', CheckboxType::class, ['required' => false])
             ->add('KBIN_FEDERATION_PAGE_ENABLED', CheckboxType::class, ['required' => false])
             ->add('KBIN_ADMIN_ONLY_OAUTH_CLIENTS', CheckboxType::class, ['required' => false])
+            ->add('MBIN_SSO_ONLY_MODE', CheckboxType::class, ['required' => false])
             ->add('MBIN_PRIVATE_INSTANCE', CheckboxType::class, ['required' => false])
             ->add('KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN', CheckboxType::class, ['required' => false])
             ->add('MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY', CheckboxType::class, ['required' => false])

diff --git a/src/Service/SettingsManager.php b/src/Service/SettingsManager.php
@@ -33,6 +33,7 @@ public function __construct(
         private readonly bool $kbinCaptchaEnabled,
         private readonly bool $kbinFederationPageEnabled,
         private readonly bool $kbinAdminOnlyOauthClients,
+        private readonly bool $mbinSsoOnlyMode,
     ) {
         if (!self::$dto) {
             $results = $this->repository->findAll();
@@ -64,6 +65,7 @@ public function __construct(
                 $this->find($results, 'KBIN_MERCURE_ENABLED', FILTER_VALIDATE_BOOLEAN) ?? false,
                 $this->find($results, 'KBIN_FEDERATION_PAGE_ENABLED', FILTER_VALIDATE_BOOLEAN) ?? $this->kbinFederationPageEnabled,
                 $this->find($results, 'KBIN_ADMIN_ONLY_OAUTH_CLIENTS', FILTER_VALIDATE_BOOLEAN) ?? $this->kbinAdminOnlyOauthClients,
+                $this->find($results, 'MBIN_SSO_ONLY_MODE', FILTER_VALIDATE_BOOLEAN) ?? $this->mbinSsoOnlyMode,
                 $this->find($results, 'MBIN_PRIVATE_INSTANCE', FILTER_VALIDATE_BOOLEAN) ?? false,
                 $this->find($results, 'KBIN_FEDERATED_SEARCH_ONLY_LOGGEDIN', FILTER_VALIDATE_BOOLEAN) ?? true,
                 $this->find($results, 'MBIN_SIDEBAR_SECTIONS_LOCAL_ONLY', FILTER_VALIDATE_BOOLEAN) ?? false,

diff --git a/src/Twig/Extension/SettingsExtension.php b/src/Twig/Extension/SettingsExtension.php
@@ -22,6 +22,7 @@ public function getFunctions(): array
             new TwigFunction('mbin_default_theme', [SettingsExtensionRuntime::class, 'mbinDefaultTheme']),
             new TwigFunction('kbin_registrations_enabled', [SettingsExtensionRuntime::class, 'kbinRegistrationsEnabled']),
             new TwigFunction('mbin_sso_registrations_enabled', [SettingsExtensionRuntime::class, 'mbinSsoRegistrationsEnabled']),
+            new TwigFunction('mbin_sso_only_mode', [SettingsExtensionRuntime::class, 'mbinSsoOnlyMode']),
             new TwigFunction('kbin_header_logo', [SettingsExtensionRuntime::class, 'kbinHeaderLogo']),
             new TwigFunction('kbin_captcha_enabled', [SettingsExtensionRuntime::class, 'kbinCaptchaEnabled']),
             new TwigFunction('kbin_mercure_enabled', [SettingsExtensionRuntime::class, 'kbinMercureEnabled']),

diff --git a/src/Twig/Runtime/SettingsExtensionRuntime.php b/src/Twig/Runtime/SettingsExtensionRuntime.php
@@ -58,6 +58,11 @@ public function mbinSsoRegistrationsEnabled(): bool
         return $this->settings->get('MBIN_SSO_REGISTRATIONS_ENABLED');
     }
 
+    public function mbinSsoOnlyMode(): bool
+    {
+        return $this->settings->get('MBIN_SSO_ONLY_MODE');
+    }
+
     public function kbinDefaultLang(): string
     {
         return $this->settings->get('KBIN_DEFAULT_LANG');

diff --git a/templates/admin/settings.html.twig b/templates/admin/settings.html.twig
@@ -43,6 +43,10 @@
                 {{ form_label(form.MBIN_SSO_REGISTRATIONS_ENABLED, 'sso_registrations_enabled') }}
                 {{ form_widget(form.MBIN_SSO_REGISTRATIONS_ENABLED) }}
             </div>
+            <div class="checkbox">
+                {{ form_label(form.MBIN_SSO_ONLY_MODE, 'sso_only_mode') }}
+                {{ form_widget(form.MBIN_SSO_ONLY_MODE) }}
+            </div>
             <div class="checkbox">
                 {{ form_label(form.KBIN_CAPTCHA_ENABLED, 'captcha_enabled') }}
                 {{ form_widget(form.KBIN_CAPTCHA_ENABLED) }}

diff --git a/templates/user/login.html.twig b/templates/user/login.html.twig
@@ -17,7 +17,7 @@
     {% include 'layout/_flash.html.twig' %}
     <div id="content" class="section">
         <div class="container">
-            {% if not_sso_only_mode %}
+            {% if not mbin_sso_only_mode() %}
             <form method="post">
                 {% if error %}
                     <div class="alert alert__danger">{{ error.messageKey|trans(error.messageData, 'security')|raw }}</div>

diff --git a/translations/messages.en.yaml b/translations/messages.en.yaml
@@ -810,5 +810,6 @@ hide: Hide
 edited: edited
 sso_registrations_enabled: SSO registrations enabled
 sso_registrations_enabled.error: New account registrations with third-party identity managers are currently disabled.
+sso_only_mode: Restrict login and registration to SSO methods only
 related_entry: Related
 restrict_magazine_creation: Restrict local magazine creation to admins and global mods