Ability to disable openid or password login

2026-05-09 12:01:08 -04:00 · 2014-03-02 21:54:50 +02:00
parent 524c2b8203
commit 0a511e4f8a
5 changed files with 37 additions and 11 deletions
--- a/rd_ui/app/login.html
+++ b/rd_ui/app/login.html
@@ -56,6 +56,8 @@
                </button>
            </form>

+            {% if show_google_openid %}
+
            <div class="login-or">
                <hr class="hr-or">
                <span class="span-or">or</span>
@@ -66,6 +68,8 @@
                    <a href="/google_auth/login?next={{next}}" class="btn btn-lg btn-info btn-block">Google</a>
                </div>
            </div>
+
+            {% endif %}
        </div>

    </div>
--- a/redash/authentication.py
+++ b/redash/authentication.py
@@ -23,9 +23,6 @@ def sign(key, path, expires):


 class HMACAuthentication(object):
-    def __init__(self, auth):
-        self.auth = auth
-
    @staticmethod
    def api_key_authentication():
        signature = request.args.get('signature')
@@ -92,14 +89,15 @@ def load_user(user_id):


 def setup_authentication(app):
-    openid_auth = GoogleAuth(app, url_prefix="/google_auth")
-    # If we don't have a list of external users, we can use Google's federated login, which limits
-    # the domain with which you can sign in.
-    if not settings.ALLOWED_EXTERNAL_USERS and settings.GOOGLE_APPS_DOMAIN:
-        openid_auth._OPENID_ENDPOINT = "https://www.google.com/a/%s/o8/ud?be=o8" % settings.GOOGLE_APPS_DOMAIN
+    if settings.GOOGLE_OPENID_ENABLED:
+        openid_auth = GoogleAuth(app, url_prefix="/google_auth")
+        # If we don't have a list of external users, we can use Google's federated login, which limits
+        # the domain with which you can sign in.
+        if not settings.ALLOWED_EXTERNAL_USERS and settings.GOOGLE_APPS_DOMAIN:
+            openid_auth._OPENID_ENDPOINT = "https://www.google.com/a/%s/o8/ud?be=o8" % settings.GOOGLE_APPS_DOMAIN

    login_manager.init_app(app)
    app.wsgi_app = ProxyFix(app.wsgi_app)
    app.secret_key = settings.COOKIE_SECRET

-    return HMACAuthentication(openid_auth)
+    return HMACAuthentication()
--- a/redash/controllers.py
+++ b/redash/controllers.py
@@ -12,7 +12,7 @@ import cStringIO
 import datetime

 from flask import render_template, send_from_directory, make_response, request, jsonify, redirect, \
-    session
+    session, url_for
 from flask.ext.restful import Resource, abort
 from flask_login import current_user, login_user, logout_user

@@ -55,6 +55,10 @@ def login():
    if current_user.is_authenticated():
        return redirect(request.args.get('next') or '/')

+    if not settings.PASSWORD_LOGIN_ENABLED:
+        blueprint = app.extensions['googleauth'].blueprint
+        return redirect(url_for("%s.login" % blueprint.name, next=request.args.get('next')))
+
    if request.method == 'POST':
        user = models.User.select().where(models.User.email == request.form['username']).first()
        if user and user.verify_password(request.form['password']):
@@ -65,7 +69,8 @@ def login():
    return render_template("login.html",
                           analytics=settings.ANALYTICS,
                           next=request.args.get('next'),
-                           username=request.form.get('username', ''))
+                           username=request.form.get('username', ''),
+                           show_google_openid=settings.GOOGLE_OPENID_ENABLED)


@app.route('/logout')
--- a/redash/settings.py
+++ b/redash/settings.py
@@ -1,3 +1,4 @@
+import json
 import os
 import urlparse

@@ -32,6 +33,11 @@ def array_from_string(str):

    return array

+
+def parse_boolean(str):
+    return json.loads(str.lower())
+
+
 REDIS_URL = os.environ.get('REDASH_REDIS_URL', "redis://localhost:6379")

 # "pg", "graphite" or "mysql"
@@ -48,6 +54,8 @@ DATABASE_CONFIG = parse_db_url(os.environ.get("REDASH_DATABASE_URL", "postgresql
 # Google Apps domain to allow access from; any user with email in this Google Apps will be allowed
 # access
 GOOGLE_APPS_DOMAIN = os.environ.get("REDASH_GOOGLE_APPS_DOMAIN", "")
+GOOGLE_OPENID_ENABLED = parse_boolean(os.environ.get("REDASH_GOOGLE_OPENID_ENABLED", "true"))
+PASSWORD_LOGIN_ENABLED = parse_boolean(os.environ.get("REDASH_PASSWORD_LOGIN_ENABLED", "false"))
 # Email addresses of admin users (comma separated)
 ADMINS = array_from_string(os.environ.get("REDASH_ADMINS", ''))
 ALLOWED_EXTERNAL_USERS = array_from_string(os.environ.get("REDASH_ALLOWED_EXTERNAL_USERS", ''))
--- a/tests/test_controllers.py
+++ b/tests/test_controllers.py
@@ -2,6 +2,7 @@ from contextlib import contextmanager
 import json
 import time
 from unittest import TestCase
+from flask import url_for
 from flask.ext.login import current_user
 from mock import patch
 from tests import BaseTestCase
@@ -337,6 +338,16 @@ class CsvQueryResultAPITest(BaseTestCase, AuthenticationTestMixin):


 class TestLogin(BaseTestCase):
+    def setUp(self):
+        settings.PASSWORD_LOGIN_ENABLED = True
+        super(TestLogin, self).setUp()
+
+    def test_redirects_to_google_login_if_password_disabled(self):
+        with app.test_client() as c, patch.object(settings, 'PASSWORD_LOGIN_ENABLED', False):
+            rv = c.get('/login')
+            self.assertEquals(rv.status_code, 302)
+            self.assertTrue(rv.location.endswith(url_for('GoogleAuth.login')))
+
    def test_get_login_form(self):
        with app.test_client() as c:
            rv = c.get('/login')