Commit c3a96719 authored by kaiyou's avatar kaiyou Committed by kaiyou

Support SAML authentication with drift and force_sso

parent 633d1751
FROM ubuntu:20.04 as build-dep
# Use bash for the shell
SHELL ["bash", "-c"]
SHELL ["/usr/bin/bash", "-c"]
# Install Node v12 (LTS)
ENV NODE_VER="12.20.0"
......
......@@ -36,6 +36,7 @@ module Admin
@timeline_preview = Setting.timeline_preview
@spam_check_enabled = Setting.spam_check_enabled
@trends_enabled = Setting.trends
@force_oauth = Setting.force_oauth
end
private
......
......@@ -25,7 +25,7 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def after_sign_in_path_for(resource)
if resource.email_verified?
root_path
stored_location_for(:user) || root_path
else
auth_setup_path(missing_email: '1')
end
......
......@@ -36,6 +36,7 @@ class Form::AdminSettings
show_domain_blocks_rationale
noindex
require_invite_text
force_oauth
).freeze
BOOLEAN_KEYS = %i(
......@@ -53,6 +54,7 @@ class Form::AdminSettings
trendable_by_default
noindex
require_invite_text
force_oauth
).freeze
UPLOAD_KEYS = %i(
......
......@@ -13,8 +13,13 @@
.landing__grid
.landing__grid__column.landing__grid__column-registration
.box-widget
= render 'registration'
- if Setting.force_oauth
.box-widget
.actions
= link_to t('auth.login_sso'), user_session_path, class: 'button'
- else
.box-widget
= render 'registration'
.directory
- if Setting.profile_directory
......@@ -45,8 +50,9 @@
%small= t('about.apps_platforms')
.landing__grid__column.landing__grid__column-login
.box-widget
= render 'login'
- if !Setting.force_oauth
.box-widget
= render 'login'
.hero-widget
.hero-widget__img
......
......@@ -71,6 +71,8 @@
= feature_hint(link_to(t('admin.dashboard.feature_relay'), admin_relays_path), @relay_enabled)
%li
= feature_hint(link_to(t('admin.dashboard.feature_spam_check'), edit_admin_settings_path), @spam_check_enabled)
%li
= feature_hint(link_to(t('admin.dashboard.force_oauth'), edit_admin_settings_path), @force_oauth)
.dashboard__widgets__versions
%div
......
......@@ -95,6 +95,9 @@
.fields-group
= f.input :spam_check_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.spam_check_enabled.title'), hint: t('admin.settings.spam_check_enabled.desc_html')
.fields-group
= f.input :force_oauth, as: :boolean, wrapper: :with_label, label: t('admin.settings.force_oauth.title'), hint: t('admin.settings.force_oauth.desc_html')
%hr.spacer/
.fields-group
......
......@@ -60,6 +60,7 @@ Devise.setup do |config|
saml_options[:attribute_statements][:verified] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED']
saml_options[:attribute_statements][:verified_email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL']
saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE']
saml_options[:allowed_clock_drift] = ENV['SAML_ALLOWED_CLOCK_DRIFT'] if ENV['SAML_ALLOWED_CLOCK_DRIFT']
config.omniauth :saml, saml_options
end
end
......@@ -624,6 +624,9 @@ en:
spam_check_enabled:
desc_html: Mastodon can auto-report accounts that send repeated unsolicited messages. There may be false positives.
title: Anti-spam automation
force_oauth:
desc_html: If SSO authentication is enabled, Mastodon can completely disable other authentication or registration features.
title: Force SSO authentication
thumbnail:
desc_html: Used for previews via OpenGraph and API. 1200x630px recommended
title: Server thumbnail
......@@ -741,6 +744,7 @@ en:
link_to_otp: Enter a two-factor code from your phone or a recovery code
link_to_webauth: Use your security key device
login: Log in
login_sso: Log in / Sign up
logout: Logout
migrate_account: Move to a different account
migrate_account_html: If you wish to redirect this account to a different one, you can <a href="%{path}">configure it here</a>.
......
......@@ -741,6 +741,7 @@ fr:
link_to_otp: Entrez un code à deux facteurs de votre téléphone ou un code de récupération
link_to_webauth: Utilisez votre appareil de clé de sécurité
login: Se connecter
login_sso: Se connecter / s'inscrire
logout: Se déconnecter
migrate_account: Déménager vers un compte différent
migrate_account_html: Si vous voulez rediriger ce compte vers un autre, vous pouvez le <a href="%{path}">configurer ici</a>.
......
......@@ -71,6 +71,7 @@ defaults: &defaults
show_domain_blocks: 'disabled'
show_domain_blocks_rationale: 'disabled'
require_invite_text: false
force_oauth: false
development:
<<: *defaults
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment