Merge pull request #8467 from cfpb/sso/disable-password-reset

Disable password reset and hide login form with SSO
cfpb · Jun 12, 2024 · 90db013 · 90db013
2 parents e4c5597 + a15ffc2
commit 90db013
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 58 deletions.
diff --git a/cfgov/cfgov/settings/base.py b/cfgov/cfgov/settings/base.py
@@ -762,6 +762,9 @@
     LOGOUT_REDIRECT_URL = reverse_lazy("cfgov_login")
     ALLOW_LOGOUT_GET_METHOD = True
 
+    # Disable Wagtail password reset
+    WAGTAIL_PASSWORD_RESET_ENABLED = False
+
     # This OIDC client's id and secret
     OIDC_RP_CLIENT_ID = os.environ["OIDC_RP_CLIENT_ID"]
     OIDC_RP_CLIENT_SECRET = os.environ["OIDC_RP_CLIENT_SECRET"]

diff --git a/cfgov/login/templates/login/login.html b/cfgov/login/templates/login/login.html
@@ -1,12 +1,36 @@
 {% extends "wagtailadmin/login.html" %}
 {% load wagtailadmin_tags %}
 
-{% block below_login %}
+{% block above_login %}
     {% if sso_enabled %}
-        <hr>
+        {# Link via button to the OIDC provider #}
         <p><a href="{% url 'oidc_authentication_init' %}" class="button" style="text-align: center;">Sign in with Single Sign-On</a></p>
-        <hr>
+
+        {# Provide a link for alternative sign-in via username/password #}
+        {% if not others %}
+          <p style="text-align: center;"><a href="{% url 'wagtailadmin_login' %}?others=1" >Other ways to sign in</a></p>
+        {% else %}
+          <hr>
+        {% endif %}
     {% endif %}
+{% endblock %}
+
+{% block login_form %}
+  {# If SSO is enabled and "others" is not in the context, hide the login form #}
+  {% if not sso_enabled or others %}
+    {{ block.super }}
+  {% endif %}
+{% endblock %}
+
+{% block submit_buttons %}
+  {# If SSO is enabled and "others" is not in the context, hide the login form #}
+  {% if not sso_enabled or others %}
+    {{ block.super }}
+  {% endif %}
+{% endblock %}
+
+{% block below_login %}
+    <hr>
     <p>This is a Consumer Financial Protection Bureau (CFPB) information system. The CFPB is an independent agency of the United States Government. CFPB information systems are provided for the processing of official information only. Unauthorized or improper use of this system may result in administrative action, as well as civil and criminal penalties.</p>
     <p>Because this is a CFPB information system, you have no reasonable expectation of privacy regarding any communication or data, transiting or stored, on this information system. All data contained in CFPB information systems is owned by the CFPB, and your use of the CFPB information system serves as your consent to your usage being monitored, intercepted, recorded, read, copied, captured, or otherwise audited in any manner by authorized personnel, including, but not limited to, employees, contractors, and/or agents of the United States Government.</p>
 {% endblock %}
diff --git a/cfgov/login/views.py b/cfgov/login/views.py
@@ -8,5 +8,9 @@ class LoginView(WagtailLoginView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
+
+        # If SSO is enabled, we do not render the username/password form
+        # unless "others" is given as a GET parameter.
+        context["others"] = "others" in self.request.GET
         context["sso_enabled"] = settings.ENABLE_SSO
         return context
diff --git a/cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html b/cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html