Make PAM gem optional, allow configuration over environment (#6415)
This commit is contained in:
parent
9b6223f5e2
commit
38e0133e1b
|
@ -136,6 +136,15 @@ STREAMING_CLUSTER_NUM=1
|
||||||
# UID=1000
|
# UID=1000
|
||||||
# GID=1000
|
# GID=1000
|
||||||
|
|
||||||
|
# PAM authentication (optional)
|
||||||
|
# PAM_ENABLED=true
|
||||||
|
# Suffix for email address generation (nil by default)
|
||||||
|
# PAM_DEFAULT_SUFFIX=pam
|
||||||
|
# Name of the pam service (pam "auth" section is evaluated)
|
||||||
|
# PAM_DEFAULT_SERVICE=rpam
|
||||||
|
# Name of the pam service used for checking if an user can register (pam "account" section is evaluated)
|
||||||
|
# PAM_CONTROLLED_SERVICE=rpam
|
||||||
|
|
||||||
# Optional CAS authentication (cf. omniauth-cas) :
|
# Optional CAS authentication (cf. omniauth-cas) :
|
||||||
# CAS_ENABLED=true
|
# CAS_ENABLED=true
|
||||||
# CAS_URL=https://sso.myserver.com/
|
# CAS_URL=https://sso.myserver.com/
|
||||||
|
|
2
Gemfile
2
Gemfile
|
@ -31,7 +31,7 @@ gem 'cld3', '~> 3.2.0'
|
||||||
gem 'devise', '~> 4.4'
|
gem 'devise', '~> 4.4'
|
||||||
gem 'devise-two-factor', '~> 3.0'
|
gem 'devise-two-factor', '~> 3.0'
|
||||||
|
|
||||||
gem 'devise_pam_authenticatable2', '~> 8.0'
|
gem 'devise_pam_authenticatable2', '~> 8.0', install_if: -> { ENV['PAM_ENABLED'] == 'true' }
|
||||||
gem 'omniauth-cas', '~> 1.1', install_if: -> { ENV['CAS_ENABLED'] == 'true' }
|
gem 'omniauth-cas', '~> 1.1', install_if: -> { ENV['CAS_ENABLED'] == 'true' }
|
||||||
gem 'omniauth-saml', '~> 1.8', install_if: -> { ENV['SAML_ENABLED'] == 'true' }
|
gem 'omniauth-saml', '~> 1.8', install_if: -> { ENV['SAML_ENABLED'] == 'true' }
|
||||||
gem 'omniauth', '~> 1.2'
|
gem 'omniauth', '~> 1.2'
|
||||||
|
|
|
@ -52,7 +52,7 @@ class User < ApplicationRecord
|
||||||
devise :registerable, :recoverable, :rememberable, :trackable, :validatable,
|
devise :registerable, :recoverable, :rememberable, :trackable, :validatable,
|
||||||
:confirmable
|
:confirmable
|
||||||
|
|
||||||
devise :pam_authenticatable
|
devise :pam_authenticatable if Devise.pam_authentication
|
||||||
devise :omniauthable
|
devise :omniauthable
|
||||||
|
|
||||||
belongs_to :account, inverse_of: :user
|
belongs_to :account, inverse_of: :user
|
||||||
|
|
|
@ -315,22 +315,13 @@ Devise.setup do |config|
|
||||||
# so you need to do it manually. For the users scope, it would be:
|
# so you need to do it manually. For the users scope, it would be:
|
||||||
# config.omniauth_path_prefix = '/my_engine/users/auth'
|
# config.omniauth_path_prefix = '/my_engine/users/auth'
|
||||||
|
|
||||||
# PAM: only look for email field
|
if ENV['PAM_ENABLED'] == 'true'
|
||||||
config.usernamefield = nil
|
config.pam_authentication = true
|
||||||
config.emailfield = "email"
|
config.usernamefield = nil
|
||||||
|
config.emailfield = 'email'
|
||||||
# authentication with pam possible
|
config.check_at_sign = true
|
||||||
# if not enabled, all pam settings are ignored
|
config.pam_default_suffix = ENV.fetch('PAM_DEFAULT_SUFFIX') { nil }
|
||||||
#config.pam_authentication = true
|
config.pam_default_service = ENV.fetch('PAM_DEFAULT_SERVICE') { 'rpam' }
|
||||||
# check if email is actually a username
|
config.pam_controlled_service = ENV.fetch('PAM_CONTROLLED_SERVICE') { 'rpam' }
|
||||||
config.check_at_sign = true
|
end
|
||||||
# suffix for email address generation (warning: without pam must provide email in the pam environment)
|
|
||||||
config.pam_default_suffix = "pam"
|
|
||||||
# name of the pam service
|
|
||||||
# pam "auth" section is evaluated
|
|
||||||
config.pam_default_service = "rpam"
|
|
||||||
# name of the pam service used for checking if an user can register
|
|
||||||
# pam "account" section is evaluated
|
|
||||||
# nil for allowing registration of pam names (not recommended)
|
|
||||||
config.pam_controlled_service = "rpam"
|
|
||||||
end
|
end
|
||||||
|
|
Reference in New Issue