feat(chalice): force SSO

2023-01-23 17:49:30 +01:00 · 2023-01-23 17:49:30 +01:00 · b3d9c75094
commit b3d9c75094
parent 0519a49815
3 changed files with 8 additions and 0 deletions
--- a/ee/api/chalicelib/core/reset_password.py
+++ b/ee/api/chalicelib/core/reset_password.py
@ -1,3 +1,5 @@
+from decouple import config
+
 import schemas
 from chalicelib.core import users
 from chalicelib.utils import email_helper, captcha, helper
@ -15,6 +17,8 @@ def reset(data: schemas.ForgetPasswordPayloadSchema):
        # ---FOR SSO
        if a_user.get("origin") is not None and a_user.get("hasPassword", False) is False:
            return {"errors": ["Please use your SSO to login"]}
+        if config("enforce_SSO", cast=bool, default=False) and not a_user["superAdmin"]:
+            return {"errors": ["Please use your SSO to login, enforced by admin"]}
        # ----------
        invitation_link = users.generate_new_invitation(user_id=a_user["id"])
        email_helper.send_forgot_password(recipient=data.email, invitation_link=invitation_link)
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@ -741,6 +741,9 @@ def authenticate(email, password, for_change_password=False):
        if for_change_password:
            return True
        r = helper.dict_to_camel_case(r)
+        if config("enforce_SSO", cast=bool, default=False) and not r["superAdmin"]:
+            return {"errors": ["must sign-in with SSO, enforced by admin"]}
+
        jwt_iat = change_jwt_iat(r['userId'])
        iat = TimeUTC.datetime_to_timestamp(jwt_iat)
        return {
--- a/scripts/helmcharts/vars.yaml
+++ b/scripts/helmcharts/vars.yaml
@ -149,6 +149,7 @@ chalice:
    # idp_sls_url: ''
    # idp_name: ''
    # idp_tenantKey: ''
+    # enforce_SSO: 'false'

 # If you want to override something
 # chartname: