From 821bb1e8cb72bee56cf5c2a878043112cc7ea2fd Mon Sep 17 00:00:00 2001 From: David Taylor Date: Mon, 8 Feb 2021 10:04:33 +0000 Subject: [PATCH] FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows. --- .../addon/controllers/admin-user-index.js | 2 +- .../admin/addon/templates/user-index.hbs | 24 +++---- .../discourse/app/components/invite-panel.js | 2 +- .../discourse/app/controllers/application.js | 2 +- .../discourse/app/controllers/login.js | 2 +- .../app/controllers/preferences/account.js | 3 +- .../javascripts/discourse/app/models/user.js | 2 +- .../discourse/app/routes/application.js | 4 +- .../app/templates/preferences/account.hbs | 6 +- .../create-account-external-test.js | 2 +- .../discourse/tests/helpers/site-settings.js | 2 +- app/controllers/admin/users_controller.rb | 6 +- app/controllers/application_controller.rb | 4 +- app/controllers/groups_controller.rb | 2 +- app/controllers/invites_controller.rb | 2 +- app/controllers/session_controller.rb | 56 ++++++++--------- app/controllers/uploads_controller.rb | 2 +- app/controllers/user_api_keys_controller.rb | 4 +- .../users/omniauth_callbacks_controller.rb | 2 +- app/controllers/users_controller.rb | 20 +++--- app/helpers/application_helper.rb | 2 +- app/jobs/regular/export_csv_file.rb | 4 +- app/jobs/regular/export_user_archive.rb | 2 +- app/models/concerns/second_factor_manager.rb | 6 +- app/models/discourse_single_sign_on.rb | 26 ++++---- app/models/invite.rb | 2 +- app/serializers/admin_user_list_serializer.rb | 2 +- app/serializers/current_user_serializer.rb | 2 +- app/serializers/notification_serializer.rb | 2 +- app/serializers/user_serializer.rb | 6 +- app/services/user_updater.rb | 6 +- app/views/session/sso_login.html.erb | 2 +- config/locales/client.en.yml | 12 ++-- config/locales/server.en.yml | 62 +++++++++---------- config/site_settings.yml | 40 ++++++------ ...d_sso_provider_secrets_to_site_settings.rb | 14 +++-- ...20210204135429_rename_sso_site_settings.rb | 43 +++++++++++++ lib/auth/result.rb | 10 +-- lib/composer_messages_finder.rb | 2 +- lib/guardian.rb | 4 +- lib/guardian/user_guardian.rb | 10 +-- lib/single_sign_on_provider.rb | 6 +- lib/site_settings/deprecated_settings.rb | 22 ++++++- lib/site_settings/validations.rb | 4 +- .../enable_invite_only_validator.rb | 4 +- lib/validators/enable_sso_validator.rb | 6 +- script/benchmarks/site_setting/bench.rb | 2 +- script/benchmarks/site_setting/profile.rb | 4 +- .../composer_messages_finder_spec.rb | 4 +- .../concern/second_factor_manager_spec.rb | 8 +-- .../components/guardian/user_guardian_spec.rb | 4 +- spec/components/guardian_spec.rb | 28 ++++----- .../enable_invite_only_validator_spec.rb | 6 +- .../validators/enable_sso_validator_spec.rb | 10 +-- .../sso_overrides_email_validator_spec.rb | 8 +-- spec/jobs/export_csv_file_spec.rb | 4 +- spec/lib/site_settings/validations_spec.rb | 6 +- spec/models/discourse_single_sign_on_spec.rb | 52 ++++++++-------- spec/models/invite_spec.rb | 2 +- spec/requests/admin/users_controller_spec.rb | 20 +++--- spec/requests/api/users_spec.rb | 4 +- spec/requests/application_controller_spec.rb | 16 ++--- spec/requests/invites_controller_spec.rb | 4 +- .../omniauth_callbacks_controller_spec.rb | 18 +++--- spec/requests/session_controller_spec.rb | 52 ++++++++-------- spec/requests/uploads_controller_spec.rb | 4 +- spec/requests/users_controller_spec.rb | 32 +++++----- .../current_user_serializer_spec.rb | 6 +- .../notification_serializer_spec.rb | 6 +- spec/services/site_settings_spec.rb | 8 +-- spec/services/user_updater_spec.rb | 18 +++--- 71 files changed, 421 insertions(+), 355 deletions(-) create mode 100644 db/migrate/20210204135429_rename_sso_site_settings.rb diff --git a/app/assets/javascripts/admin/addon/controllers/admin-user-index.js b/app/assets/javascripts/admin/addon/controllers/admin-user-index.js index cfc0cd8c880..cea12a54167 100644 --- a/app/assets/javascripts/admin/addon/controllers/admin-user-index.js +++ b/app/assets/javascripts/admin/addon/controllers/admin-user-index.js @@ -590,7 +590,7 @@ export default Controller.extend(CanCheckEmails, { deleteSSORecord() { return bootbox.confirm( - I18n.t("admin.user.sso.confirm_delete"), + I18n.t("admin.user.discourse_connect.confirm_delete"), I18n.t("no_value"), I18n.t("yes_value"), (confirmed) => { diff --git a/app/assets/javascripts/admin/addon/templates/user-index.hbs b/app/assets/javascripts/admin/addon/templates/user-index.hbs index cc25a5b0cab..4ac76fb01df 100644 --- a/app/assets/javascripts/admin/addon/templates/user-index.hbs +++ b/app/assets/javascripts/admin/addon/templates/user-index.hbs @@ -70,8 +70,8 @@ {{/if}}
- {{#if siteSettings.sso_overrides_email}} - {{i18n "user.email.sso_override_instructions"}} + {{#if siteSettings.auth_overrides_email}} + {{i18n "user.email.auth_override_instructions"}} {{else if model.email}} {{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}} {{/if}} @@ -105,8 +105,8 @@
{{#if model.email}} {{#if model.secondary_emails}} - {{#if siteSettings.sso_overrides_email}} - {{i18n "user.email.sso_override_instructions"}} + {{#if siteSettings.auth_overrides_email}} + {{i18n "user.email.auth_override_instructions"}} {{else}} {{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}} {{/if}} @@ -646,11 +646,11 @@ {{#if model.single_sign_on_record}}
-

{{i18n "admin.user.sso.title"}}

+

{{i18n "admin.user.discourse_connect.title"}}

{{#with model.single_sign_on_record as |sso|}}
-
{{i18n "admin.user.sso.external_id"}}
+
{{i18n "admin.user.discourse_connect.external_id"}}
{{sso.external_id}}
{{#if model.can_delete_sso_record}}
@@ -658,22 +658,22 @@ class="btn-danger" action=(action "deleteSSORecord") icon="far-trash-alt" - label="admin.user.sso.delete_sso_record" + label="admin.user.discourse_connect.delete_sso_record" }}
{{/if}}
-
{{i18n "admin.user.sso.external_username"}}
+
{{i18n "admin.user.discourse_connect.external_username"}}
{{sso.external_username}}
-
{{i18n "admin.user.sso.external_name"}}
+
{{i18n "admin.user.discourse_connect.external_name"}}
{{sso.external_name}}
{{#if canAdminCheckEmails}}
-
{{i18n "admin.user.sso.external_email"}}
+
{{i18n "admin.user.discourse_connect.external_email"}}
{{#if ssoExternalEmail}}
{{ssoExternalEmail}}
{{else}} @@ -687,12 +687,12 @@
{{/if}}
-
{{i18n "admin.user.sso.external_avatar_url"}}
+
{{i18n "admin.user.discourse_connect.external_avatar_url"}}
{{sso.external_avatar_url}}
{{#if sso.last_payload}}
-
{{i18n "admin.user.sso.last_payload"}}
+
{{i18n "admin.user.discourse_connect.last_payload"}}
{{#each ssoPayload as |line|}} {{line}}
diff --git a/app/assets/javascripts/discourse/app/components/invite-panel.js b/app/assets/javascripts/discourse/app/components/invite-panel.js index 949ce17842a..5e30756d4c7 100644 --- a/app/assets/javascripts/discourse/app/components/invite-panel.js +++ b/app/assets/javascripts/discourse/app/components/invite-panel.js @@ -221,7 +221,7 @@ export default Component.extend({ ) { if (!canInviteViaEmail) { // can't invite via email, only existing users - return I18n.t("topic.invite_reply.sso_enabled"); + return I18n.t("topic.invite_reply.discourse_connect_enabled"); } else if (isPM) { // inviting to a message return I18n.t("topic.invite_private.email_or_username"); diff --git a/app/assets/javascripts/discourse/app/controllers/application.js b/app/assets/javascripts/discourse/app/controllers/application.js index e8615d2f944..e2ed3cdd19a 100644 --- a/app/assets/javascripts/discourse/app/controllers/application.js +++ b/app/assets/javascripts/discourse/app/controllers/application.js @@ -13,7 +13,7 @@ export default Controller.extend({ return ( !this.siteSettings.invite_only && this.siteSettings.allow_new_registrations && - !this.siteSettings.enable_sso + !this.siteSettings.enable_discourse_connect ); }, diff --git a/app/assets/javascripts/discourse/app/controllers/login.js b/app/assets/javascripts/discourse/app/controllers/login.js index 481b70453f6..d6150a22855 100644 --- a/app/assets/javascripts/discourse/app/controllers/login.js +++ b/app/assets/javascripts/discourse/app/controllers/login.js @@ -392,7 +392,7 @@ export default Controller.extend(ModalFunctionality, { } const skipConfirmation = - options && this.siteSettings.external_auth_skip_create_confirm; + options && this.siteSettings.auth_skip_create_confirm; const createAccountController = this.createAccount; createAccountController.setProperties({ diff --git a/app/assets/javascripts/discourse/app/controllers/preferences/account.js b/app/assets/javascripts/discourse/app/controllers/preferences/account.js index 4e7507b57ff..0a663156183 100644 --- a/app/assets/javascripts/discourse/app/controllers/preferences/account.js +++ b/app/assets/javascripts/discourse/app/controllers/preferences/account.js @@ -71,7 +71,8 @@ export default Controller.extend(CanCheckEmails, { return false; } else { return ( - !this.siteSettings.enable_sso && this.siteSettings.enable_local_logins + !this.siteSettings.enable_discourse_connect && + this.siteSettings.enable_local_logins ); } }, diff --git a/app/assets/javascripts/discourse/app/models/user.js b/app/assets/javascripts/discourse/app/models/user.js index 1077161b9b9..dc08ed3f302 100644 --- a/app/assets/javascripts/discourse/app/models/user.js +++ b/app/assets/javascripts/discourse/app/models/user.js @@ -755,7 +755,7 @@ const User = RestModel.extend({ @discourseComputed("can_delete_account") canDeleteAccount(canDeleteAccount) { - return !this.siteSettings.enable_sso && canDeleteAccount; + return !this.siteSettings.enable_discourse_connect && canDeleteAccount; }, delete: function () { diff --git a/app/assets/javascripts/discourse/app/routes/application.js b/app/assets/javascripts/discourse/app/routes/application.js index e355aa92f85..414860ecbd5 100644 --- a/app/assets/javascripts/discourse/app/routes/application.js +++ b/app/assets/javascripts/discourse/app/routes/application.js @@ -243,7 +243,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, { }, handleShowLogin() { - if (this.siteSettings.enable_sso) { + if (this.siteSettings.enable_discourse_connect) { const returnPath = encodeURIComponent(window.location.pathname); window.location = getURL("/session/sso?return_path=" + returnPath); } else { @@ -254,7 +254,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, { }, handleShowCreateAccount() { - if (this.siteSettings.enable_sso) { + if (this.siteSettings.enable_discourse_connect) { const returnPath = encodeURIComponent(window.location.pathname); window.location = getURL("/session/sso?return_path=" + returnPath); } else { diff --git a/app/assets/javascripts/discourse/app/templates/preferences/account.hbs b/app/assets/javascripts/discourse/app/templates/preferences/account.hbs index 182a11d7b16..62a7a4abe7f 100644 --- a/app/assets/javascripts/discourse/app/templates/preferences/account.hbs +++ b/app/assets/javascripts/discourse/app/templates/preferences/account.hbs @@ -15,7 +15,7 @@ {{/if}}
-{{#unless siteSettings.sso_overrides_avatar}} +{{#unless siteSettings.discourse_connect_overrides_avatar}}
@@ -94,8 +94,8 @@ {{/if}}
- {{#if siteSettings.sso_overrides_email}} - {{i18n "user.email.sso_override_instructions"}} + {{#if siteSettings.auth_overrides_email}} + {{i18n "user.email.auth_override_instructions"}} {{/if}} {{i18n "user.email.instructions"}}
diff --git a/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js b/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js index 0e0fb6deee5..75f21afb30e 100644 --- a/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js +++ b/app/assets/javascripts/discourse/tests/acceptance/create-account-external-test.js @@ -32,7 +32,7 @@ acceptance("Create Account - external auth", function (needs) { }); test("when skip is enabled", async function (assert) { - this.siteSettings.external_auth_skip_create_confirm = true; + this.siteSettings.auth_skip_create_confirm = true; await visit("/"); assert.ok( diff --git a/app/assets/javascripts/discourse/tests/helpers/site-settings.js b/app/assets/javascripts/discourse/tests/helpers/site-settings.js index d84b53e4c73..43e60820dd1 100644 --- a/app/assets/javascripts/discourse/tests/helpers/site-settings.js +++ b/app/assets/javascripts/discourse/tests/helpers/site-settings.js @@ -29,7 +29,7 @@ const ORIGINAL_SETTINGS = { enable_twitter_logins: true, enable_facebook_logins: true, enable_github_logins: true, - enable_sso: false, + enable_discourse_connect: false, min_username_length: 3, max_username_length: 20, min_password_length: 8, diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 63d97b4f8c0..68dd6da72ac 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -439,12 +439,12 @@ class Admin::UsersController < Admin::AdminController end def sync_sso - return render body: nil, status: 404 unless SiteSetting.enable_sso + return render body: nil, status: 404 unless SiteSetting.enable_discourse_connect begin sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}") rescue DiscourseSingleSignOn::ParseError => e - return render json: failed_json.merge(message: I18n.t("sso.login_error")), status: 422 + return render json: failed_json.merge(message: I18n.t("discourse_connect.login_error")), status: 422 end begin @@ -453,7 +453,7 @@ class Admin::UsersController < Admin::AdminController rescue ActiveRecord::RecordInvalid => ex render json: failed_json.merge(message: ex.message), status: 403 rescue DiscourseSingleSignOn::BlankExternalId => ex - render json: failed_json.merge(message: I18n.t('sso.blank_id_error')), status: 422 + render json: failed_json.merge(message: I18n.t('discourse_connect.blank_id_error')), status: 422 end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5ea0184c67e..039f5d7c934 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -739,11 +739,11 @@ class ApplicationController < ActionController::Base def redirect_to_login dont_cache_page - if SiteSetting.external_auth_immediately && SiteSetting.enable_sso? + if SiteSetting.auth_immediately && SiteSetting.enable_discourse_connect? # save original URL in a session so we can redirect after login session[:destination_url] = destination_url redirect_to path('/session/sso') - elsif SiteSetting.external_auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data] + elsif SiteSetting.auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data] # Only one authentication provider, direct straight to it. # If authentication_data is present, then we are halfway though registration. Don't redirect offsite cookies[:destination_url] = destination_url diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 5a5dac37738..352fad2d49a 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -338,7 +338,7 @@ class GroupsController < ApplicationController if emails.any? if SiteSetting.enable_sso? - raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_sso")) + raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_discourse_connect")) elsif !SiteSetting.enable_local_logins? raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins")) end diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index 0b754ef1606..5d083158578 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -268,7 +268,7 @@ class InvitesController < ApplicationController if user.has_password? send_activation_email(user) unless user.active - elsif !SiteSetting.enable_sso && SiteSetting.enable_local_logins + elsif !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins Jobs.enqueue(:invite_password_instructions_email, username: user.username) end end diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index 1af0ea5f69d..257ea5d9851 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -24,19 +24,19 @@ class SessionController < ApplicationController session.delete(:destination_url) cookies.delete(:destination_url) - if SiteSetting.enable_sso? + if SiteSetting.enable_discourse_connect? sso = DiscourseSingleSignOn.generate_sso(return_path) - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}") end - redirect_to sso_url(sso) + redirect_to discourse_connect_url(sso) else render body: nil, status: 404 end end def sso_provider(payload = nil) - if SiteSetting.enable_sso_provider + if SiteSetting.enable_discourse_connect_provider begin if !payload params.require(:sso) @@ -44,15 +44,15 @@ class SessionController < ApplicationController end sso = SingleSignOnProvider.parse(payload) rescue SingleSignOnProvider::BlankSecret - render plain: I18n.t("sso.missing_secret"), status: 400 + render plain: I18n.t("discourse_connect.missing_secret"), status: 400 return rescue SingleSignOnProvider::ParseError => e - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}") end # Do NOT pass the error text to the client, it would give them the correct signature - render plain: I18n.t("sso.login_error"), status: 422 + render plain: I18n.t("discourse_connect.login_error"), status: 422 return end @@ -138,7 +138,7 @@ class SessionController < ApplicationController end def sso_login - raise Discourse::NotFound.new unless SiteSetting.enable_sso + raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect params.require(:sso) params.require(:sig) @@ -146,26 +146,26 @@ class SessionController < ApplicationController begin sso = DiscourseSingleSignOn.parse(request.query_string) rescue DiscourseSingleSignOn::ParseError => e - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}") end # Do NOT pass the error text to the client, it would give them the correct signature - return render_sso_error(text: I18n.t("sso.login_error"), status: 422) + return render_sso_error(text: I18n.t("discourse_connect.login_error"), status: 422) end if !sso.nonce_valid? - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: Nonce has already expired\n\n#{sso.diagnostics}") end - return render_sso_error(text: I18n.t("sso.timeout_expired"), status: 419) + return render_sso_error(text: I18n.t("discourse_connect.timeout_expired"), status: 419) end if ScreenedIpAddress.should_block?(request.remote_ip) - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: IP address is blocked #{request.remote_ip}\n\n#{sso.diagnostics}") end - return render_sso_error(text: I18n.t("sso.unknown_error"), status: 500) + return render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500) end return_path = sso.return_path @@ -180,10 +180,10 @@ class SessionController < ApplicationController end if SiteSetting.must_approve_users? && !user.approved? - if SiteSetting.sso_not_approved_url.present? - redirect_to SiteSetting.sso_not_approved_url + if SiteSetting.discourse_connect_not_approved_url.present? + redirect_to SiteSetting.discourse_connect_not_approved_url else - render_sso_error(text: I18n.t("sso.account_not_approved"), status: 403) + render_sso_error(text: I18n.t("discourse_connect.account_not_approved"), status: 403) end return elsif !user.active? @@ -192,7 +192,7 @@ class SessionController < ApplicationController session["user_created_message"] = activation.message redirect_to(users_account_created_path) && (return) else - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}") end if user.id != current_user&.id @@ -206,7 +206,7 @@ class SessionController < ApplicationController uri = URI(return_path) if (uri.hostname == Discourse.current_hostname) return_path = uri.to_s - elsif !SiteSetting.sso_allows_all_return_paths + elsif !SiteSetting.discourse_connect_allows_all_return_paths return_path = path("/") end rescue @@ -223,11 +223,11 @@ class SessionController < ApplicationController redirect_to return_path else - render_sso_error(text: I18n.t("sso.not_found"), status: 500) + render_sso_error(text: I18n.t("discourse_connect.not_found"), status: 500) end rescue ActiveRecord::RecordInvalid => e - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn(<<~EOF) Verbose SSO log: Record was invalid: #{e.record.class.name} #{e.record.id} #{e.record.errors.to_h} @@ -245,17 +245,17 @@ class SessionController < ApplicationController # If there's a problem with the email we can explain that if (e.record.is_a?(User) && e.record.errors[:primary_email].present?) if e.record.email.blank? - text = I18n.t("sso.no_email") + text = I18n.t("discourse_connect.no_email") else - text = I18n.t("sso.email_error", email: ERB::Util.html_escape(e.record.email)) + text = I18n.t("discourse_connect.email_error", email: ERB::Util.html_escape(e.record.email)) end end - render_sso_error(text: text || I18n.t("sso.unknown_error"), status: 500) + render_sso_error(text: text || I18n.t("discourse_connect.unknown_error"), status: 500) rescue DiscourseSingleSignOn::BlankExternalId - render_sso_error(text: I18n.t("sso.blank_id_error"), status: 500) + render_sso_error(text: I18n.t("discourse_connect.blank_id_error"), status: 500) rescue => e message = +"Failed to create or lookup user: #{e}." @@ -266,7 +266,7 @@ class SessionController < ApplicationController Rails.logger.error(message) - render_sso_error(text: I18n.t("sso.unknown_error"), status: 500) + render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500) end end @@ -445,7 +445,7 @@ class SessionController < ApplicationController def destroy redirect_url = params[:return_url].presence || SiteSetting.logout_redirect.presence - sso = SiteSetting.enable_sso + sso = SiteSetting.enable_discourse_connect only_one_authenticator = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 if SiteSetting.login_required && (sso || only_one_authenticator) # In this situation visiting most URLs will start the auth process again @@ -498,7 +498,7 @@ class SessionController < ApplicationController return if user&.admin? if (check_login_via_email && !SiteSetting.enable_local_logins_via_email) || - SiteSetting.enable_sso || + SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins raise Discourse::InvalidAccess, "SSO takes over local login or the local login is disallowed." end diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index f11c1997c63..7e4db3e39cc 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -19,7 +19,7 @@ class UploadsController < ApplicationController # 50 characters ought to be enough for the upload type type = params.require(:type).parameterize(separator: "_")[0..50] - if type == "avatar" && !me.admin? && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars) + if type == "avatar" && !me.admin? && (SiteSetting.discourse_connect_overrides_avatar || !SiteSetting.allow_uploaded_avatars) return render json: failed_json, status: 422 end diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index b8609190e2c..402a38e1d97 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -23,7 +23,7 @@ class UserApiKeysController < ApplicationController unless current_user cookies[:destination_url] = request.fullpath - if SiteSetting.enable_sso? + if SiteSetting.enable_discourse_connect? redirect_to path('/session/sso') else redirect_to path('/login') @@ -115,7 +115,7 @@ class UserApiKeysController < ApplicationController unless current_user cookies[:destination_url] = request.fullpath - if SiteSetting.enable_sso? + if SiteSetting.enable_discourse_connect? redirect_to path('/session/sso') else redirect_to path('/login') diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb index 513ae6f0125..12e021e9edf 100644 --- a/app/controllers/users/omniauth_callbacks_controller.rb +++ b/app/controllers/users/omniauth_callbacks_controller.rb @@ -40,7 +40,7 @@ class Users::OmniauthCallbacksController < ApplicationController preferred_origin = request.env['omniauth.origin'] - if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload) + if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload) preferred_origin = session_sso_provider_url + "?" + payload elsif cookies[:destination_url].present? preferred_origin = cookies[:destination_url] diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 91e5b048cfa..90d0219ea8a 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -179,7 +179,7 @@ class UsersController < ApplicationController end rescue Discourse::InvalidAccess if current_user&.staff? - render_json_error(I18n.t('errors.messages.sso_overrides_username')) + render_json_error(I18n.t('errors.messages.auth_overrides_username')) else render json: failed_json, status: 403 end @@ -412,8 +412,8 @@ class UsersController < ApplicationController )) else if current_user&.staff? - message = if SiteSetting.enable_sso - I18n.t("invite.disabled_errors.sso_enabled") + message = if SiteSetting.enable_discourse_connect + I18n.t("invite.disabled_errors.discourse_connect_enabled") elsif !SiteSetting.enable_local_logins I18n.t("invite.disabled_errors.local_logins_disabled") end @@ -436,8 +436,8 @@ class UsersController < ApplicationController render json: MultiJson.dump(invites: serialize_data(invites.to_a, InviteLinkSerializer), can_see_invite_details: guardian.can_see_invite_details?(inviter)) else if current_user&.staff? - message = if SiteSetting.enable_sso - I18n.t("invite.disabled_errors.sso_enabled") + message = if SiteSetting.enable_discourse_connect + I18n.t("invite.disabled_errors.discourse_connect_enabled") elsif !SiteSetting.enable_local_logins I18n.t("invite.disabled_errors.local_logins_disabled") end @@ -909,7 +909,7 @@ class UsersController < ApplicationController def account_created if current_user.present? - if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload) + if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload) return redirect_to(session_sso_provider_url + "?" + payload) elsif destination_url = cookies.delete(:destination_url) return redirect_to(destination_url) @@ -958,7 +958,7 @@ class UsersController < ApplicationController elsif destination_url = cookies[:destination_url] cookies[:destination_url] = nil return redirect_to(destination_url) - elsif SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload) + elsif SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload) return redirect_to(session_sso_provider_url + "?" + payload) end else @@ -1095,7 +1095,7 @@ class UsersController < ApplicationController user = fetch_user_from_params guardian.ensure_can_edit!(user) - if SiteSetting.sso_overrides_avatar + if SiteSetting.discourse_connect_overrides_avatar return render json: failed_json, status: 422 end @@ -1276,7 +1276,7 @@ class UsersController < ApplicationController end def list_second_factors - raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins + raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins unless params[:password].empty? RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed! @@ -1448,7 +1448,7 @@ class UsersController < ApplicationController end def second_factor_check_confirmed_password - raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins + raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed? end diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 0f948222982..48c910f2f9c 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -548,7 +548,7 @@ module ApplicationHelper def can_sign_up? SiteSetting.allow_new_registrations && !SiteSetting.invite_only && - !SiteSetting.enable_sso + !SiteSetting.enable_discourse_connect end def rss_creator(user) diff --git a/app/jobs/regular/export_csv_file.rb b/app/jobs/regular/export_csv_file.rb index 5b47f1cd02e..314195234b5 100644 --- a/app/jobs/regular/export_csv_file.rb +++ b/app/jobs/regular/export_csv_file.rb @@ -113,7 +113,7 @@ module Jobs condition = { trust_level: trust_level } end - if SiteSetting.enable_sso + if SiteSetting.enable_discourse_connect # SSO enabled User.where(condition).includes(:user_profile, :user_stat, :user_emails, :single_sign_on_record, :groups).find_each do |user| user_info_array = get_base_user_array(user) @@ -232,7 +232,7 @@ module Jobs def get_header(entity) if entity == 'user_list' header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile'] - header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso + header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect user_custom_fields = UserField.all if user_custom_fields.present? user_custom_fields.each do |custom_field| diff --git a/app/jobs/regular/export_user_archive.rb b/app/jobs/regular/export_user_archive.rb index bb09b02fc0d..408483104b6 100644 --- a/app/jobs/regular/export_user_archive.rb +++ b/app/jobs/regular/export_user_archive.rb @@ -384,7 +384,7 @@ module Jobs def get_header(entity) if entity == 'user_list' header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile'] - header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso + header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect user_custom_fields = UserField.all if user_custom_fields.present? user_custom_fields.each do |custom_field| diff --git a/app/models/concerns/second_factor_manager.rb b/app/models/concerns/second_factor_manager.rb index 8d2429026eb..d1974f94497 100644 --- a/app/models/concerns/second_factor_manager.rb +++ b/app/models/concerns/second_factor_manager.rb @@ -54,19 +54,19 @@ module SecondFactorManager end def totp_enabled? - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && self&.user_second_factors.totps.exists? end def backup_codes_enabled? - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && self&.user_second_factors.backup_codes.exists? end def security_keys_enabled? - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && self&.security_keys.where(factor_type: UserSecurityKey.factor_types[:second_factor], enabled: true).exists? end diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb index b28f04bd92b..c40b04b1b4b 100644 --- a/app/models/discourse_single_sign_on.rb +++ b/app/models/discourse_single_sign_on.rb @@ -6,11 +6,11 @@ class DiscourseSingleSignOn < SingleSignOn class BannedExternalId < StandardError; end def self.sso_url - SiteSetting.sso_url + SiteSetting.discourse_connect_url end def self.sso_secret - SiteSetting.sso_secret + SiteSetting.discourse_connect_secret end def self.generate_sso(return_path = "/") @@ -120,7 +120,7 @@ class DiscourseSingleSignOn < SingleSignOn # The user might require approval user.create_reviewable - if bio && (user.user_profile.bio_raw.blank? || SiteSetting.sso_overrides_bio) + if bio && (user.user_profile.bio_raw.blank? || SiteSetting.discourse_connect_overrides_bio) user.user_profile.bio_raw = bio user.user_profile.save! end @@ -170,7 +170,7 @@ class DiscourseSingleSignOn < SingleSignOn end def apply_group_rules(user) - if SiteSetting.sso_overrides_groups + if SiteSetting.discourse_connect_overrides_groups synchronize_groups(user) return end @@ -219,7 +219,7 @@ class DiscourseSingleSignOn < SingleSignOn user = User.create!(user_params) - if SiteSetting.verbose_sso_logging + if SiteSetting.verbose_discourse_connect_logging Rails.logger.warn("Verbose SSO log: New User (user_id: #{user.id}) Params: #{user_params} User Params: #{user.attributes} User Errors: #{user.errors.full_messages} Email: #{user.primary_email.attributes} Email Error: #{user.primary_email.errors.full_messages}") end end @@ -233,7 +233,7 @@ class DiscourseSingleSignOn < SingleSignOn Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, - override_gravatar: SiteSetting.sso_overrides_avatar + override_gravatar: SiteSetting.discourse_connect_overrides_avatar ) end @@ -273,13 +273,13 @@ class DiscourseSingleSignOn < SingleSignOn def change_external_attributes_and_override(sso_record, user) @email_changed = false - if SiteSetting.sso_overrides_email && user.email != Email.downcase(email) + if SiteSetting.auth_overrides_email && user.email != Email.downcase(email) user.email = email user.active = false if require_activation @email_changed = true end - if SiteSetting.sso_overrides_username? && username.present? + if SiteSetting.auth_overrides_username? && username.present? if user.username.downcase == username.downcase user.username = username # there may be a change of case elsif user.username != username @@ -287,7 +287,7 @@ class DiscourseSingleSignOn < SingleSignOn end end - if SiteSetting.sso_overrides_name && user.name != name && name.present? + if SiteSetting.auth_overrides_name && user.name != name && name.present? user.name = name || User.suggest_name(username.blank? ? email : username) end @@ -297,18 +297,18 @@ class DiscourseSingleSignOn < SingleSignOn avatar_missing = user.uploaded_avatar_id.nil? || !Upload.exists?(user.uploaded_avatar_id) - if (avatar_missing || avatar_force_update || SiteSetting.sso_overrides_avatar) && avatar_url.present? + if (avatar_missing || avatar_force_update || SiteSetting.discourse_connect_overrides_avatar) && avatar_url.present? avatar_changed = sso_record.external_avatar_url != avatar_url if avatar_force_update || avatar_changed || avatar_missing - Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.sso_overrides_avatar) + Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.discourse_connect_overrides_avatar) end end if profile_background_url.present? profile_background_missing = user.user_profile.profile_background_upload.blank? || Upload.get_from_url(user.user_profile.profile_background_upload.url).blank? - if profile_background_missing || SiteSetting.sso_overrides_profile_background + if profile_background_missing || SiteSetting.discourse_connect_overrides_profile_background profile_background_changed = sso_record.external_profile_background_url != profile_background_url if profile_background_changed || profile_background_missing Jobs.enqueue(:download_profile_background_from_url, @@ -322,7 +322,7 @@ class DiscourseSingleSignOn < SingleSignOn if card_background_url.present? card_background_missing = user.user_profile.card_background_upload.blank? || Upload.get_from_url(user.user_profile.card_background_upload.url).blank? - if card_background_missing || SiteSetting.sso_overrides_profile_background + if card_background_missing || SiteSetting.discourse_connect_overrides_profile_background card_background_changed = sso_record.external_card_background_url != card_background_url if card_background_changed || card_background_missing Jobs.enqueue(:download_profile_background_from_url, diff --git a/app/models/invite.rb b/app/models/invite.rb index 4b4f114e649..cff077e92fc 100644 --- a/app/models/invite.rb +++ b/app/models/invite.rb @@ -361,7 +361,7 @@ class Invite < ActiveRecord::Base return if email.blank? if SiteSetting.enable_sso? - errors.add(:email, I18n.t("invite.disabled_errors.sso_enabled")) + errors.add(:email, I18n.t("invite.disabled_errors.discourse_connect_enabled")) elsif !SiteSetting.enable_local_logins? errors.add(:email, I18n.t("invite.disabled_errors.local_logins_disabled")) end diff --git a/app/serializers/admin_user_list_serializer.rb b/app/serializers/admin_user_list_serializer.rb index eab8fe1f411..dd9ce3f6f04 100644 --- a/app/serializers/admin_user_list_serializer.rb +++ b/app/serializers/admin_user_list_serializer.rb @@ -106,7 +106,7 @@ class AdminUserListSerializer < BasicUserSerializer end def include_second_factor_enabled? - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && object.has_any_second_factor_methods_enabled? end diff --git a/app/serializers/current_user_serializer.rb b/app/serializers/current_user_serializer.rb index 3ec597a7db6..722a88bfc76 100644 --- a/app/serializers/current_user_serializer.rb +++ b/app/serializers/current_user_serializer.rb @@ -228,7 +228,7 @@ class CurrentUserSerializer < BasicUserSerializer end def include_external_id? - SiteSetting.enable_sso + SiteSetting.enable_discourse_connect end def second_factor_enabled diff --git a/app/serializers/notification_serializer.rb b/app/serializers/notification_serializer.rb index 18f0b9fcac4..f4b7119b024 100644 --- a/app/serializers/notification_serializer.rb +++ b/app/serializers/notification_serializer.rb @@ -44,7 +44,7 @@ class NotificationSerializer < ApplicationSerializer end def include_external_id? - SiteSetting.enable_sso + SiteSetting.enable_discourse_connect end end diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb index 08766faf5b5..afe57d8e739 100644 --- a/app/serializers/user_serializer.rb +++ b/app/serializers/user_serializer.rb @@ -120,15 +120,15 @@ class UserSerializer < UserCardSerializer end def can_change_bio - !(SiteSetting.enable_sso && SiteSetting.sso_overrides_bio) + !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio) end def can_change_location - !(SiteSetting.enable_sso && SiteSetting.sso_overrides_location) + !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location) end def can_change_website - !(SiteSetting.enable_sso && SiteSetting.sso_overrides_website) + !(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website) end def user_api_keys diff --git a/app/services/user_updater.rb b/app/services/user_updater.rb index 544b9883ca3..ce046d6e86a 100644 --- a/app/services/user_updater.rb +++ b/app/services/user_updater.rb @@ -67,15 +67,15 @@ class UserUpdater def update(attributes = {}) user_profile = user.user_profile user_profile.dismissed_banner_key = attributes[:dismissed_banner_key] if attributes[:dismissed_banner_key].present? - unless SiteSetting.enable_sso && SiteSetting.sso_overrides_bio + unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio user_profile.bio_raw = attributes.fetch(:bio_raw) { user_profile.bio_raw } end - unless SiteSetting.enable_sso && SiteSetting.sso_overrides_location + unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location user_profile.location = attributes.fetch(:location) { user_profile.location } end - unless SiteSetting.enable_sso && SiteSetting.sso_overrides_website + unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website user_profile.website = format_url(attributes.fetch(:website) { user_profile.website }) end diff --git a/app/views/session/sso_login.html.erb b/app/views/session/sso_login.html.erb index 985172c4ee9..3cf7dac5d8f 100644 --- a/app/views/session/sso_login.html.erb +++ b/app/views/session/sso_login.html.erb @@ -1,4 +1,4 @@ -

<%= t('sso.login_error') %>

+

<%= t('discourse_connect.login_error') %>


diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml index 01cdeff4f98..fe9db3425d3 100644 --- a/config/locales/client.en.yml +++ b/config/locales/client.en.yml @@ -1263,7 +1263,7 @@ en: set_primary: "Set Primary Email" destroy: "Remove Email" add_email: "Add Alternate Email" - sso_override_instructions: "Email can be updated from SSO provider." + auth_override_instructions: "Email can be updated from authentication provider." no_secondary: "No secondary emails" instructions: "Never shown to the public." admin_note: "Note: An admin user changing another non-admin user's email indicates the user has lost access to their original email account, so a reset password email will be sent to their new address. The user's email will not change until they complete the reset password process." @@ -2648,7 +2648,7 @@ en: action: "Send Invite" help: "invite others to this topic via email or notifications" to_forum: "We'll send a brief email allowing your friend to immediately join by clicking a link." - sso_enabled: "Enter the username of the person you'd like to invite to this topic." + discourse_connect_enabled: "Enter the username of the person you'd like to invite to this topic." to_topic_blank: "Enter the username or email address of the person you'd like to invite to this topic." to_topic_email: "You've entered an email address. We'll email an invitation that allows your friend to immediately reply to this topic." to_topic_username: "You've entered a username. We'll send a notification with a link inviting them to this topic." @@ -3863,7 +3863,7 @@ en: wordpress: Necessary for the WordPress wp-discourse plugin to work. users: bookmarks: List user bookmarks. It returns bookmark reminders when using the ICS format. - sync_sso: Synchronize a user using SSO. + sync_sso: Synchronize a user using DiscourseConnect. show: Obtain information about an user. check_emails: List user emails. update: Update user profile information. @@ -4853,8 +4853,8 @@ en: on_grace_period: "Currently in promotion grace period, will not be demoted." locked_will_not_be_promoted: "Trust level locked. Will never be promoted." locked_will_not_be_demoted: "Trust level locked. Will never be demoted." - sso: - title: "Single Sign On" + discourse_connect: + title: "DiscourseConnect Single Sign On" external_id: "External ID" external_username: "Username" external_name: "Name" @@ -4862,7 +4862,7 @@ en: external_avatar_url: "Profile Picture URL" last_payload: "Last Payload" delete_sso_record: "Delete SSO Record" - confirm_delete: "Are you sure you would like to delete this single sign on (SSO) record?" + confirm_delete: "Are you sure you would like to delete this DiscourseConnect record?" user_fields: title: "User Fields" diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 68511726d1c..343e1d530cd 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -180,7 +180,7 @@ en: one: is the wrong length (should be %{count} character) other: is the wrong length (should be %{count} characters) other_than: "must be other than %{count}" - sso_overrides_username: "Username needs to be updated on SSO provider side, since `sso_overrides_username` setting is enabled." + auth_overrides_username: "Username needs to be updated on authentication provider side, since `auth_overrides_username` setting is enabled." template: body: ! "There were problems with the following fields:" header: @@ -204,7 +204,7 @@ en: share_quote_facebook_requirements: "You must set a Facebook app id to enable quote sharing for Facebook." second_factor_cannot_enforce_with_socials: "You cannot enforce 2FA with social logins enabled. You must first disable login via: %{auth_provider_names}" second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled." - second_factor_cannot_be_enforced_with_sso_enabled: "You cannot enforce 2FA if SSO is enabled." + second_factor_cannot_be_enforced_with_discourse_connect_enabled: "You cannot enforce 2FA if DiscourseConnect is enabled." local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins." cannot_enable_s3_uploads_when_s3_enabled_globally: "You cannot enable S3 uploads because S3 uploads are already globally enabled, and enabling this site-level could cause critical issues with uploads" cors_origins_should_not_have_trailing_slash: "You should not add the trailing slash (/) to CORS origins." @@ -239,7 +239,7 @@ en: confirm_email: "

You’re almost done! We sent an activation mail to your email address. Please follow the instructions in the mail to activate your account.

If it doesn’t arrive, check your spam folder.

" cant_invite_to_group: "You are not allowed to invite users to specified group(s). Make sure you are owner of the group(s) you are trying to invite to." disabled_errors: - sso_enabled: "Invites are disabled because SSO is enabled." + discourse_connect_enabled: "Invites are disabled because DiscourseConnect is enabled." local_logins_disabled: "Invites are disabled because the 'enable local logins' setting is disabled." invalid_access: "You are not permitted to view the requested resource." @@ -448,7 +448,7 @@ en: one: "Maximum %{count} user can be added at once" other: "Maximum %{count} users can be added at once" usernames_or_emails_required: "Usernames or emails must be present" - no_invites_with_sso: "You can invite only registered users when SSO is enabled" + no_invites_with_discourse_connect: "You can invite only registered users when DiscourseConnect is enabled" no_invites_without_local_logins: "You can invite only registered users when local logins are disabled" default_names: everyone: "everyone" @@ -1532,7 +1532,7 @@ en: detailed_404: "Provides more details to users about why they can’t access a particular topic. Note: This is less secure because users will know if a URL links to a valid topic." enforce_second_factor: "Forces users to enable two-factor authentication. Select 'all' to enforce it to all users. Select 'staff' to enforce it to staff users only." force_https: "Force your site to use HTTPS only. WARNING: do NOT enable this until you verify HTTPS is fully set up and working absolutely everywhere! Did you check your CDN, all social logins, and any external logos / dependencies to make sure they are all HTTPS compatible, too?" - same_site_cookies: "Use same site cookies, they eliminate all vectors Cross Site Request Forgery on supported browsers (Lax or Strict). Warning: Strict will only work on sites that force login and use SSO." + same_site_cookies: "Use same site cookies, they eliminate all vectors Cross Site Request Forgery on supported browsers (Lax or Strict). Warning: Strict will only work on sites that force login and use an external auth method." summary_score_threshold: "The minimum score required for a post to be included in 'Summarize This Topic'" summary_posts_required: "Minimum posts in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week." summary_likes_required: "Minimum likes in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week." @@ -1656,27 +1656,27 @@ en: password_unique_characters: "Minimum number of unique characters that a password must have." block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords." - external_auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside sso_overrides_email, sso_overrides_username and sso_overrides_name. - external_auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method" + auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside auth_overrides_email, auth_overrides_username and auth_overrides_name. + auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method" - enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)" - verbose_sso_logging: "Log verbose SSO related diagnostics to /logs" - enable_sso_provider: "Implement Discourse SSO provider protocol at the /session/sso_provider endpoint, requires sso_provider_secrets to be set" - sso_url: "URL of single sign on endpoint (must include http:// or https://)" - sso_secret: "Secret string used to cryptographically authenticate SSO information, be sure it is 10 characters or longer" - sso_provider_secrets: "A list of domain-secret pairs that are using Discourse as an SSO provider. Make sure SSO secret is 10 characters or longer. Wildcard symbol * can be used to match any domain or only a part of it (e.g. *.example.com)." - sso_overrides_bio: "Overrides user bio in user profile and prevents user from changing it" - sso_overrides_groups: "Synchronize all manual group membership with groups specified in the groups sso attribute (WARNING: if you do not specify groups all manual group membership will be cleared for user)" - sso_overrides_email: "Overrides local email with external site email from SSO payload on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to normalization of local emails)" - sso_overrides_username: "Overrides local username with external site username from SSO payload on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to differences in username length/requirements)" - sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes. Applies to all authentication providers." - sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, users will not be allowed to upload avatars on Discourse." - sso_overrides_location: "Overrides user location with external location from SSO payload and prevent local changes." - sso_overrides_website: "Overrides user website with external location from SSO payload and prevent local changes." - sso_overrides_profile_background: "Overrides user profile background with external site avatar from SSO payload." - sso_overrides_card_background: "Overrides user card background with external site avatar from SSO payload." - sso_not_approved_url: "Redirect unapproved SSO accounts to this URL" - sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)" + enable_discourse_connect: "Enable sign on via DiscourseConnect (formerly 'Discourse SSO') (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)" + verbose_discourse_connect_logging: "Log verbose DiscourseConnect related diagnostics to /logs" + enable_discourse_connect_provider: "Implement DiscourseConnect (formerly 'Discourse SSO') provider protocol at the /session/sso_provider endpoint, requires discourse_connect_provider_secrets to be set" + discourse_connect_url: "URL of DiscourseConnect endpoint (must include http:// or https://)" + discourse_connect_secret: "Secret string used to cryptographically authenticate DiscourseConnect information, be sure it is 10 characters or longer" + discourse_connect_provider_secrets: "A list of domain-secret pairs that are using DiscourseConnect. Make sure DiscourseConnect secret is 10 characters or longer. Wildcard symbol * can be used to match any domain or only a part of it (e.g. *.example.com)." + discourse_connect_overrides_bio: "Overrides user bio in user profile and prevents user from changing it" + discourse_connect_overrides_groups: "Synchronize all manual group membership with groups specified in the groups attribute (WARNING: if you do not specify groups all manual group membership will be cleared for user)" + auth_overrides_email: "Overrides local email with external site email on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to normalization of local emails)" + auth_overrides_username: "Overrides local username with external site username on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to differences in username length/requirements)" + auth_overrides_name: "Overrides local full name with external site full name on every login, and prevent local changes. Applies to all authentication providers." + discourse_connect_overrides_avatar: "Overrides user avatar with external site avatar from DiscourseConnect payload. If enabled, users will not be allowed to upload avatars on Discourse." + discourse_connect_overrides_location: "Overrides user location with external location from DiscourseConnect payload and prevent local changes." + discourse_connect_overrides_website: "Overrides user website with external location from DiscourseConnect payload and prevent local changes." + discourse_connect_overrides_profile_background: "Overrides user profile background with external site avatar from DiscourseConnect payload." + discourse_connect_overrides_card_background: "Overrides user card background with external site avatar from DiscourseConnect payload." + discourse_connect_not_approved_url: "Redirect unapproved DiscourseConnect accounts to this URL" + discourse_connect_allows_all_return_paths: "Do not restrict the domain for return_paths provided by DiscourseConnect (by default return path must be on current site)" enable_local_logins: "Enable local username and password login based accounts. This must be enabled for invites to work. WARNING: if disabled, you may be unable to log in if you have not previously configured at least one alternate login method." enable_local_logins_via_email: "Allow users to request a one-click login link to be sent to them via email." @@ -2313,8 +2313,8 @@ en: email_editable_enabled: "You must disable 'email editable' before enabling this setting." staged_users_disabled: "You must first enable 'staged users' before enabling this setting." reply_by_email_disabled: "You must first enable 'reply by email' before enabling this setting." - sso_url_is_empty: "You must set a 'sso url' before enabling this setting." - sso_invite_only: "You cannot enable sso and invite only at the same time." + discourse_connect_url_is_empty: "You must set a 'discourse connect url' before enabling this setting." + discourse_connect_invite_only: "You cannot enable DiscourseConnect and invite only at the same time." enable_local_logins_disabled: "You must first enable 'enable local logins' before enabling this setting." min_username_length_exists: "You cannot set the minimum username length above the shortest username (%{username})." min_username_length_range: "You cannot set the minimum above the maximum." @@ -2334,9 +2334,9 @@ en: list_value_count: "The list must contain exactly %{count} values." placeholder: - sso_provider_secrets: + discourse_connect_provider_secrets: key: "www.example.com" - value: "SSO secret" + value: "DiscourseConnect secret" search: extreme_load_error: "Site is under extreme load, search is disabled, try again later" @@ -2349,7 +2349,7 @@ en: audio: "[audio]" video: "[video]" - sso: + discourse_connect: login_error: "Login Error" not_found: "Your account couldn't be found. Please contact the site's administrator." account_not_approved: "Your account is pending approval. You will receive an email notification when you are approved." @@ -2358,7 +2358,7 @@ en: no_email: "No email address was provided. Please contact the site's administrator." blank_id_error: "The `external_id` is required but was blank" email_error: "An account could not be registered with the email address %{email}. Please contact the site's administrator." - missing_secret: "SSO authentication failed due to missing secret. Contact the site administrators to fix this problem." + missing_secret: "Authentication failed due to missing secret. Contact the site administrators to fix this problem." original_poster: "Original Poster" most_posts: "Most Posts" diff --git a/config/site_settings.yml b/config/site_settings.yml index aa4c21dd6a9..415094f9bf6 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -423,31 +423,31 @@ login: default: "" type: list list_type: simple - external_auth_skip_create_confirm: + auth_skip_create_confirm: default: false client: true - external_auth_immediately: + auth_immediately: default: true - enable_sso: + enable_discourse_connect: client: true default: false validator: "EnableSsoValidator" - sso_allows_all_return_paths: false - enable_sso_provider: false - verbose_sso_logging: false + discourse_connect_allows_all_return_paths: false + enable_discourse_connect_provider: false + verbose_discourse_connect_logging: false verbose_auth_token_logging: hidden: true default: true max_suspicious_distance_km: hidden: true default: 500 - sso_url: + discourse_connect_url: default: "" regex: '^https?:\/\/.+[^\/]$' - sso_secret: + discourse_connect_secret: default: "" secret: true - sso_provider_secrets: + discourse_connect_provider_secrets: default: "" type: list list_type: secret @@ -455,22 +455,22 @@ login: placeholder: key: "sso_provider.key_placeholder" value: "sso_provider.value_placeholder" - sso_overrides_groups: false - sso_overrides_bio: false - sso_overrides_email: + discourse_connect_overrides_groups: false + discourse_connect_overrides_bio: false + auth_overrides_email: default: false validator: "SsoOverridesEmailValidator" client: true - sso_overrides_username: false - sso_overrides_name: false - sso_overrides_avatar: + auth_overrides_username: false + auth_overrides_name: false + discourse_connect_overrides_avatar: default: false client: true - sso_overrides_profile_background: false - sso_overrides_location: false - sso_overrides_website: false - sso_overrides_card_background: false - sso_not_approved_url: "" + discourse_connect_overrides_profile_background: false + discourse_connect_overrides_location: false + discourse_connect_overrides_website: false + discourse_connect_overrides_card_background: false + discourse_connect_not_approved_url: "" blocked_email_domains: default: "mailinator.com" type: list diff --git a/db/migrate/20181005084357_add_sso_provider_secrets_to_site_settings.rb b/db/migrate/20181005084357_add_sso_provider_secrets_to_site_settings.rb index 777e665a6d2..877dc72f1f3 100644 --- a/db/migrate/20181005084357_add_sso_provider_secrets_to_site_settings.rb +++ b/db/migrate/20181005084357_add_sso_provider_secrets_to_site_settings.rb @@ -2,12 +2,14 @@ class AddSsoProviderSecretsToSiteSettings < ActiveRecord::Migration[5.2] def up - return unless SiteSetting.enable_sso_provider && SiteSetting.sso_secret.present? - sso_secret = SiteSetting.sso_secret - sso_secret_insert = ActiveRecord::Base.connection.quote("*|#{sso_secret}") - - execute "INSERT INTO site_settings(name, data_type, value, created_at, updated_at) - VALUES ('sso_provider_secrets', 8, #{sso_secret_insert}, now(), now())" + execute <<~SQL + INSERT INTO site_settings(name, data_type, value, created_at, updated_at) + SELECT 'sso_provider_secrets', 8, '*|' || value, now(), now() + FROM site_settings WHERE name = 'sso_secret' + AND EXISTS ( + SELECT 1 FROM site_settings WHERE name = 'enable_sso_provider' AND value = 't' + ) + SQL end def down diff --git a/db/migrate/20210204135429_rename_sso_site_settings.rb b/db/migrate/20210204135429_rename_sso_site_settings.rb new file mode 100644 index 00000000000..8fb149b1ee1 --- /dev/null +++ b/db/migrate/20210204135429_rename_sso_site_settings.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +class RenameSsoSiteSettings < ActiveRecord::Migration[6.0] + RENAME_SETTINGS = [ + ['enable_sso', 'enable_discourse_connect'], + ['sso_allows_all_return_paths', 'discourse_connect_allows_all_return_paths'], + ['enable_sso_provider', 'enable_discourse_connect_provider'], + ['verbose_sso_logging', 'verbose_discourse_connect_logging'], + ['sso_url', 'discourse_connect_url'], + ['sso_secret', 'discourse_connect_secret'], + ['sso_provider_secrets', 'discourse_connect_provider_secrets'], + ['sso_overrides_groups', 'discourse_connect_overrides_groups'], + ['sso_overrides_bio', 'discourse_connect_overrides_bio'], + ['sso_overrides_email', 'auth_overrides_email'], + ['sso_overrides_username', 'auth_overrides_username'], + ['sso_overrides_name', 'auth_overrides_name'], + ['sso_overrides_avatar', 'discourse_connect_overrides_avatar'], + ['sso_overrides_profile_background', 'discourse_connect_overrides_profile_background'], + ['sso_overrides_location', 'discourse_connect_overrides_location'], + ['sso_overrides_website', 'discourse_connect_overrides_website'], + ['sso_overrides_card_background', 'discourse_connect_overrides_card_background'], + ['external_auth_skip_create_confirm', 'auth_skip_create_confirm'], + ['external_auth_immediately', 'auth_immediately'] + ] + + def up + # Copying the rows so that things keep working during deploy + # TODO: Add a post-deploy migration to drop the old rows + + RENAME_SETTINGS.each do |old_name, new_name| + execute <<~SQL + INSERT INTO site_settings (name, data_type, value, created_at, updated_at) + SELECT '#{new_name}', data_type, value, created_at, updated_at + FROM site_settings + WHERE name = '#{old_name}' + SQL + end + end + + def down + raise ActiveRecord::IrreversibleMigration + end +end diff --git a/lib/auth/result.rb b/lib/auth/result.rb index 18dff598aa6..5cad43107b0 100644 --- a/lib/auth/result.rb +++ b/lib/auth/result.rb @@ -70,17 +70,17 @@ class Auth::Result def apply_user_attributes! change_made = false - if SiteSetting.sso_overrides_username? && username.present? && username != user.username + if SiteSetting.auth_overrides_username? && username.present? && username != user.username user.username = UserNameSuggester.suggest(username || name || email, user.username) change_made = true end - if SiteSetting.sso_overrides_email && email_valid && email.present? && user.email != Email.downcase(email) + if SiteSetting.auth_overrides_email && email_valid && email.present? && user.email != Email.downcase(email) user.email = email change_made = true end - if SiteSetting.sso_overrides_name && name.present? && user.name != name + if SiteSetting.auth_overrides_name && name.present? && user.name != name user.name = name change_made = true end @@ -89,11 +89,11 @@ class Auth::Result end def can_edit_name - !SiteSetting.sso_overrides_name + !SiteSetting.auth_overrides_name end def can_edit_username - !(SiteSetting.sso_overrides_username || omit_username) + !(SiteSetting.auth_overrides_username || omit_username) end def to_client_hash diff --git a/lib/composer_messages_finder.rb b/lib/composer_messages_finder.rb index f1f9aa33d82..251091d0e04 100644 --- a/lib/composer_messages_finder.rb +++ b/lib/composer_messages_finder.rb @@ -78,7 +78,7 @@ class ComposerMessagesFinder # - "disable avatar education message" is enabled # - "sso overrides avatar" is enabled # - "allow uploaded avatars" is disabled - return if SiteSetting.disable_avatar_education_message || SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars + return if SiteSetting.disable_avatar_education_message || SiteSetting.discourse_connect_overrides_avatar || !SiteSetting.allow_uploaded_avatars # If we got this far, log that we've nagged them about the avatar UserHistory.create!(action: UserHistory.actions[:notified_about_avatar], target_user_id: @user.id) diff --git a/lib/guardian.rb b/lib/guardian.rb index b82966296f2..147329c352e 100644 --- a/lib/guardian.rb +++ b/lib/guardian.rb @@ -353,7 +353,7 @@ class Guardian def can_invite_to_forum?(groups = nil) authenticated? && (SiteSetting.max_invites_per_day.to_i > 0 || is_staff?) && - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && ( (!SiteSetting.must_approve_users? && @user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)) || @@ -391,7 +391,7 @@ class Guardian def can_invite_via_email?(object) return false unless can_invite_to?(object) - !SiteSetting.enable_sso && SiteSetting.enable_local_logins && (!SiteSetting.must_approve_users? || is_staff?) + !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && (!SiteSetting.must_approve_users? || is_staff?) end def can_bulk_invite_to_forum?(user) diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb index c26ec89aa8e..099267b7eb3 100644 --- a/lib/guardian/user_guardian.rb +++ b/lib/guardian/user_guardian.rb @@ -23,7 +23,7 @@ module UserGuardian end def can_edit_username?(user) - return false if SiteSetting.sso_overrides_username? + return false if SiteSetting.auth_overrides_username? return true if is_staff? return false if SiteSetting.username_change_period <= 0 return false if is_anonymous? @@ -31,7 +31,7 @@ module UserGuardian end def can_edit_email?(user) - return false if SiteSetting.sso_overrides_email? + return false if SiteSetting.auth_overrides_email? return false unless SiteSetting.email_editable? return true if is_staff? return false if is_anonymous? @@ -40,7 +40,7 @@ module UserGuardian def can_edit_name?(user) return false unless SiteSetting.enable_names? - return false if SiteSetting.sso_overrides_name? + return false if SiteSetting.auth_overrides_name? return true if is_staff? return false if is_anonymous? can_edit?(user) @@ -61,7 +61,7 @@ module UserGuardian def can_delete_user?(user) return false if user.nil? || user.admin? if is_me?(user) - !SiteSetting.enable_sso && + !SiteSetting.enable_discourse_connect && !user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count) else is_staff? && ( @@ -173,6 +173,6 @@ module UserGuardian end def can_delete_sso_record?(user) - SiteSetting.enable_sso && user && is_admin? + SiteSetting.enable_discourse_connect && user && is_admin? end end diff --git a/lib/single_sign_on_provider.rb b/lib/single_sign_on_provider.rb index a626ffcf269..3e744430ba2 100644 --- a/lib/single_sign_on_provider.rb +++ b/lib/single_sign_on_provider.rb @@ -7,7 +7,7 @@ class SingleSignOnProvider < SingleSignOn set_return_sso_url(payload) if sso_secret.blank? && self.sso_secret.blank? host = URI.parse(@return_sso_url).host - Rails.logger.warn("SSO failed; website #{host} is not in the `sso_provider_secrets` site settings") + Rails.logger.warn("SSO failed; website #{host} is not in the `discourse_connect_provider_secrets` site settings") raise BlankSecret end @@ -24,9 +24,9 @@ class SingleSignOnProvider < SingleSignOn end def self.sso_secret - return nil unless @return_sso_url && SiteSetting.enable_sso_provider + return nil unless @return_sso_url && SiteSetting.enable_discourse_connect_provider - provider_secrets = SiteSetting.sso_provider_secrets.split(/[|\n]/) + provider_secrets = SiteSetting.discourse_connect_provider_secrets.split(/[|\n]/) provider_secrets_hash = Hash[*provider_secrets] return_url_host = URI.parse(@return_sso_url).host # moves wildcard domains to the end of hash diff --git a/lib/site_settings/deprecated_settings.rb b/lib/site_settings/deprecated_settings.rb index 60e6a909eda..85ed2f4caeb 100644 --- a/lib/site_settings/deprecated_settings.rb +++ b/lib/site_settings/deprecated_settings.rb @@ -10,7 +10,27 @@ module SiteSettings::DeprecatedSettings ['enable_category_group_review', 'enable_category_group_moderation', true, '2.7'], ['newuser_max_images', 'newuser_max_embedded_media', true, '2.7'], ['min_trust_to_post_images', 'min_trust_to_post_embedded_media', true, '2.7'], - ['moderators_create_categories', 'moderators_manage_categories_and_groups', '2.7'] + ['moderators_create_categories', 'moderators_manage_categories_and_groups', '2.7'], + + ['enable_sso', 'enable_discourse_connect', true, '2.8'], + ['sso_allows_all_return_paths', 'discourse_connect_allows_all_return_paths', true, '2.8'], + ['enable_sso_provider', 'enable_discourse_connect_provider', true, '2.8'], + ['verbose_sso_logging', 'verbose_discourse_connect_logging', true, '2.8'], + ['sso_url', 'discourse_connect_url', true, '2.8'], + ['sso_secret', 'discourse_connect_secret', true, '2.8'], + ['sso_provider_secrets', 'discourse_connect_provider_secrets', true, '2.8'], + ['sso_overrides_groups', 'discourse_connect_overrides_groups', true, '2.8'], + ['sso_overrides_bio', 'discourse_connect_overrides_bio', true, '2.8'], + ['sso_overrides_email', 'auth_overrides_email', true, '2.8'], + ['sso_overrides_username', 'auth_overrides_username', true, '2.8'], + ['sso_overrides_name', 'auth_overrides_name', true, '2.8'], + ['sso_overrides_avatar', 'discourse_connect_overrides_avatar', true, '2.8'], + ['sso_overrides_profile_background', 'discourse_connect_overrides_profile_background', true, '2.8'], + ['sso_overrides_location', 'discourse_connect_overrides_location', true, '2.8'], + ['sso_overrides_website', 'discourse_connect_overrides_website', true, '2.8'], + ['sso_overrides_card_background', 'discourse_connect_overrides_card_background', true, '2.8'], + ['external_auth_skip_create_confirm', 'auth_skip_create_confirm', true, '2.8'], + ['external_auth_immediately', 'auth_immediately', true, '2.8'], ] def setup_deprecated_methods diff --git a/lib/site_settings/validations.rb b/lib/site_settings/validations.rb index 81090bfe1c1..ebfcbfcfe14 100644 --- a/lib/site_settings/validations.rb +++ b/lib/site_settings/validations.rb @@ -177,8 +177,8 @@ module SiteSettings::Validations end def validate_enforce_second_factor(new_val) - if SiteSetting.enable_sso? - return validate_error :second_factor_cannot_be_enforced_with_sso_enabled + if SiteSetting.enable_discourse_connect? + return validate_error :second_factor_cannot_be_enforced_with_discourse_connect_enabled end if new_val == "all" && Discourse.enabled_auth_providers.count > 0 auth_provider_names = Discourse.enabled_auth_providers.map(&:name).join(", ") diff --git a/lib/validators/enable_invite_only_validator.rb b/lib/validators/enable_invite_only_validator.rb index 63fd259bc08..b2efcdf83f5 100644 --- a/lib/validators/enable_invite_only_validator.rb +++ b/lib/validators/enable_invite_only_validator.rb @@ -7,10 +7,10 @@ class EnableInviteOnlyValidator def valid_value?(val) return true if val == 'f' - !SiteSetting.enable_sso? + !SiteSetting.enable_discourse_connect? end def error_message - I18n.t('site_settings.errors.sso_invite_only') + I18n.t('site_settings.errors.discourse_connect_invite_only') end end diff --git a/lib/validators/enable_sso_validator.rb b/lib/validators/enable_sso_validator.rb index e119cc29ba6..6c71904d768 100644 --- a/lib/validators/enable_sso_validator.rb +++ b/lib/validators/enable_sso_validator.rb @@ -7,12 +7,12 @@ class EnableSsoValidator def valid_value?(val) return true if val == 'f' - return false if SiteSetting.sso_url.blank? || SiteSetting.invite_only? + return false if SiteSetting.discourse_connect_url.blank? || SiteSetting.invite_only? true end def error_message - return I18n.t('site_settings.errors.sso_url_is_empty') if SiteSetting.sso_url.blank? - return I18n.t('site_settings.errors.sso_invite_only') if SiteSetting.invite_only? + return I18n.t('site_settings.errors.discourse_connect_url_is_empty') if SiteSetting.discourse_connect_url.blank? + return I18n.t('site_settings.errors.discourse_connect_invite_only') if SiteSetting.invite_only? end end diff --git a/script/benchmarks/site_setting/bench.rb b/script/benchmarks/site_setting/bench.rb index 902911d44fb..5790b41ffa8 100644 --- a/script/benchmarks/site_setting/bench.rb +++ b/script/benchmarks/site_setting/bench.rb @@ -14,7 +14,7 @@ SiteSetting.refresh! tests = [ ["current cache", lambda do SiteSetting.title - SiteSetting.enable_sso + SiteSetting.enable_discourse_connect end ], ["change default locale with current cache refreshed", lambda do diff --git a/script/benchmarks/site_setting/profile.rb b/script/benchmarks/site_setting/profile.rb index 0ad7bcde079..a849a18a363 100644 --- a/script/benchmarks/site_setting/profile.rb +++ b/script/benchmarks/site_setting/profile.rb @@ -13,7 +13,7 @@ require File.expand_path('../../../../config/environment', __FILE__) # warming up SiteSetting.title -SiteSetting.enable_sso +SiteSetting.enable_discourse_connect SiteSetting.default_locale = SiteSetting.default_locale == 'en' ? 'zh_CN' : 'en' SiteSetting.title = SecureRandom.hex @@ -22,7 +22,7 @@ profile do end profile do - SiteSetting.enable_sso + SiteSetting.enable_discourse_connect end profile do diff --git a/spec/components/composer_messages_finder_spec.rb b/spec/components/composer_messages_finder_spec.rb index 00cb9ac9952..50a8325576b 100644 --- a/spec/components/composer_messages_finder_spec.rb +++ b/spec/components/composer_messages_finder_spec.rb @@ -138,8 +138,8 @@ describe ComposerMessagesFinder do expect(finder.check_avatar_notification).to be_blank end - it "doesn't notify users if 'sso_overrides_avatar' setting is enabled" do - SiteSetting.sso_overrides_avatar = true + it "doesn't notify users if 'discourse_connect_overrides_avatar' setting is enabled" do + SiteSetting.discourse_connect_overrides_avatar = true expect(finder.check_avatar_notification).to be_blank end diff --git a/spec/components/concern/second_factor_manager_spec.rb b/spec/components/concern/second_factor_manager_spec.rb index 0be7d5b9d41..865b1113bb4 100644 --- a/spec/components/concern/second_factor_manager_spec.rb +++ b/spec/components/concern/second_factor_manager_spec.rb @@ -111,8 +111,8 @@ RSpec.describe SecondFactorManager do describe 'when SSO is enabled' do it 'should return false' do - SiteSetting.sso_url = 'http://someurl.com' - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = 'http://someurl.com' + SiteSetting.enable_discourse_connect = true expect(user.totp_enabled?).to eq(false) end @@ -437,8 +437,8 @@ RSpec.describe SecondFactorManager do describe 'when SSO is enabled' do it 'should return false' do - SiteSetting.sso_url = 'http://someurl.com' - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = 'http://someurl.com' + SiteSetting.enable_discourse_connect = true expect(user_backup.backup_codes_enabled?).to eq(false) end diff --git a/spec/components/guardian/user_guardian_spec.rb b/spec/components/guardian/user_guardian_spec.rb index 9d289d32160..9cd1af1a555 100644 --- a/spec/components/guardian/user_guardian_spec.rb +++ b/spec/components/guardian/user_guardian_spec.rb @@ -237,8 +237,8 @@ describe UserGuardian do include_examples "can_delete_user examples" it "isn't allowed when SSO is enabled" do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true expect(guardian.can_delete_user?(user)).to eq(false) end diff --git a/spec/components/guardian_spec.rb b/spec/components/guardian_spec.rb index 68b39f89fc9..c292582360c 100644 --- a/spec/components/guardian_spec.rb +++ b/spec/components/guardian_spec.rb @@ -690,8 +690,8 @@ describe Guardian do end it 'returns false for all users when sso is enabled' do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_falsey expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_falsey @@ -2714,9 +2714,9 @@ describe Guardian do context 'when SSO username override is active' do before do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true - SiteSetting.sso_overrides_username = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true + SiteSetting.auth_overrides_username = true end it "is false for admins" do @@ -2799,9 +2799,9 @@ describe Guardian do context 'when SSO email override is active' do before do SiteSetting.email_editable = false - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true - SiteSetting.sso_overrides_email = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true + SiteSetting.auth_overrides_email = true end it "is false for admins" do @@ -2878,8 +2878,8 @@ describe Guardian do context 'when SSO is disabled' do before do - SiteSetting.enable_sso = false - SiteSetting.sso_overrides_name = false + SiteSetting.enable_discourse_connect = false + SiteSetting.auth_overrides_name = false end it 'is true for admins' do @@ -2897,13 +2897,13 @@ describe Guardian do context 'when SSO is enabled' do before do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true end context 'when SSO name override is active' do before do - SiteSetting.sso_overrides_name = true + SiteSetting.auth_overrides_name = true end it 'is false for admins' do @@ -2921,7 +2921,7 @@ describe Guardian do context 'when SSO name override is not active' do before do - SiteSetting.sso_overrides_name = false + SiteSetting.auth_overrides_name = false end it 'is true for admins' do diff --git a/spec/components/validators/enable_invite_only_validator_spec.rb b/spec/components/validators/enable_invite_only_validator_spec.rb index fe3af0dccb6..fab1d200686 100644 --- a/spec/components/validators/enable_invite_only_validator_spec.rb +++ b/spec/components/validators/enable_invite_only_validator_spec.rb @@ -7,8 +7,8 @@ RSpec.describe EnableInviteOnlyValidator do context "when sso is enabled" do before do - SiteSetting.sso_url = "https://example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://example.com/sso" + SiteSetting.enable_discourse_connect = true end it "is valid when false" do @@ -18,7 +18,7 @@ RSpec.describe EnableInviteOnlyValidator do it "is isn't value for true" do expect(subject.valid_value?('t')).to eq(false) expect(subject.error_message).to eq(I18n.t( - 'site_settings.errors.sso_invite_only' + 'site_settings.errors.discourse_connect_invite_only' )) end end diff --git a/spec/components/validators/enable_sso_validator_spec.rb b/spec/components/validators/enable_sso_validator_spec.rb index 9114792d27f..3a2e549b92b 100644 --- a/spec/components/validators/enable_sso_validator_spec.rb +++ b/spec/components/validators/enable_sso_validator_spec.rb @@ -8,7 +8,7 @@ RSpec.describe EnableSsoValidator do describe '#valid_value?' do describe "when 'sso url' is empty" do before do - SiteSetting.sso_url = "" + SiteSetting.discourse_connect_url = "" end describe 'when val is false' do @@ -22,7 +22,7 @@ RSpec.describe EnableSsoValidator do expect(subject.valid_value?('t')).to eq(false) expect(subject.error_message).to eq(I18n.t( - 'site_settings.errors.sso_url_is_empty' + 'site_settings.errors.discourse_connect_url_is_empty' )) end end @@ -31,7 +31,7 @@ RSpec.describe EnableSsoValidator do describe "when invite_only is set" do before do SiteSetting.invite_only = true - SiteSetting.sso_url = 'https://example.com/sso' + SiteSetting.discourse_connect_url = 'https://example.com/sso' end it 'allows a false value' do @@ -41,14 +41,14 @@ RSpec.describe EnableSsoValidator do it "doesn't allow true" do expect(subject.valid_value?('t')).to eq(false) expect(subject.error_message).to eq(I18n.t( - 'site_settings.errors.sso_invite_only' + 'site_settings.errors.discourse_connect_invite_only' )) end end describe "when 'sso url' is present" do before do - SiteSetting.sso_url = "https://www.example.com/sso" + SiteSetting.discourse_connect_url = "https://www.example.com/sso" end describe 'when value is false' do diff --git a/spec/components/validators/sso_overrides_email_validator_spec.rb b/spec/components/validators/sso_overrides_email_validator_spec.rb index c4b0da34e16..a7951c632b0 100644 --- a/spec/components/validators/sso_overrides_email_validator_spec.rb +++ b/spec/components/validators/sso_overrides_email_validator_spec.rb @@ -8,8 +8,8 @@ RSpec.describe SsoOverridesEmailValidator do describe '#valid_value?' do describe "when 'email editable' is true" do before do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true SiteSetting.email_editable = true end @@ -32,8 +32,8 @@ RSpec.describe SsoOverridesEmailValidator do describe "when 'email editable' is false" do before do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true SiteSetting.email_editable = false end diff --git a/spec/jobs/export_csv_file_spec.rb b/spec/jobs/export_csv_file_spec.rb index 16c1023512b..f53d0536e50 100644 --- a/spec/jobs/export_csv_file_spec.rb +++ b/spec/jobs/export_csv_file_spec.rb @@ -210,8 +210,8 @@ describe Jobs::ExportCsvFile do end it 'exports sso data' do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true user = Fabricate(:user) user.user_profile.update_column(:location, "La,La Land") user.create_single_sign_on_record(external_id: "123", last_payload: "xxx", external_email: 'test@test.com') diff --git a/spec/lib/site_settings/validations_spec.rb b/spec/lib/site_settings/validations_spec.rb index 4f8358ff958..747099f39aa 100644 --- a/spec/lib/site_settings/validations_spec.rb +++ b/spec/lib/site_settings/validations_spec.rb @@ -151,10 +151,10 @@ describe SiteSettings::Validations do end context "when SSO is enabled" do - let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_sso_enabled") } + let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_discourse_connect_enabled") } before do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true end it "should raise an error" do diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb index fb318d16bcc..7867cfd38e1 100644 --- a/spec/models/discourse_single_sign_on_spec.rb +++ b/spec/models/discourse_single_sign_on_spec.rb @@ -4,12 +4,12 @@ require "rails_helper" describe DiscourseSingleSignOn do before do - @sso_url = "http://example.com/discourse_sso" - @sso_secret = "shjkfdhsfkjh" + @discourse_connect_url = "http://example.com/discourse_sso" + @discourse_connect_secret = "shjkfdhsfkjh" - SiteSetting.sso_url = @sso_url - SiteSetting.enable_sso = true - SiteSetting.sso_secret = @sso_secret + SiteSetting.discourse_connect_url = @discourse_connect_url + SiteSetting.enable_discourse_connect = true + SiteSetting.discourse_connect_secret = @discourse_connect_secret Jobs.run_immediately! end @@ -114,7 +114,7 @@ describe DiscourseSingleSignOn do end it "unstaged users" do - SiteSetting.sso_overrides_name = true + SiteSetting.auth_overrides_name = true email = "staged@user.com" Fabricate(:user, staged: true, email: email) @@ -195,7 +195,7 @@ describe DiscourseSingleSignOn do sso.groups = "#{group2.name.capitalize},group4,badname,trust_level_4" sso.lookup_or_create_user(ip_address) - SiteSetting.sso_overrides_groups = true + SiteSetting.discourse_connect_overrides_groups = true group1.reload expect(group1.usernames).to eq("") @@ -260,7 +260,7 @@ describe DiscourseSingleSignOn do end it 'can override username properly when only the case changes' do - SiteSetting.sso_overrides_username = true + SiteSetting.auth_overrides_username = true sso = DiscourseSingleSignOn.new sso.username = "testuser" @@ -280,8 +280,8 @@ describe DiscourseSingleSignOn do expect(user.username).to eq "TestUser" end - it 'behaves properly when sso_overrides_username is set but username is missing or blank' do - SiteSetting.sso_overrides_username = true + it 'behaves properly when auth_overrides_username is set but username is missing or blank' do + SiteSetting.auth_overrides_username = true sso = DiscourseSingleSignOn.new sso.username = "testuser" @@ -310,9 +310,9 @@ describe DiscourseSingleSignOn do admin = Fabricate(:admin) SiteSetting.email_editable = false - SiteSetting.sso_overrides_name = true - SiteSetting.sso_overrides_email = true - SiteSetting.sso_overrides_username = true + SiteSetting.auth_overrides_name = true + SiteSetting.auth_overrides_email = true + SiteSetting.auth_overrides_username = true sso = DiscourseSingleSignOn.new sso.username = "bob%the$admin" @@ -378,7 +378,7 @@ describe DiscourseSingleSignOn do it "generates a correct sso url" do url, payload = DiscourseSingleSignOn.generate_url.split("?") - expect(url).to eq @sso_url + expect(url).to eq @discourse_connect_url sso = DiscourseSingleSignOn.parse(payload) expect(sso.nonce).to_not be_nil @@ -447,7 +447,7 @@ describe DiscourseSingleSignOn do it 'does not deactivate user if email provided is capitalized' do SiteSetting.email_editable = false - SiteSetting.sso_overrides_email = true + SiteSetting.auth_overrides_email = true sso.require_activation = true user = sso.lookup_or_create_user(ip_address) @@ -465,7 +465,7 @@ describe DiscourseSingleSignOn do it 'deactivates accounts that have updated email address' do SiteSetting.email_editable = false - SiteSetting.sso_overrides_email = true + SiteSetting.auth_overrides_email = true sso.require_activation = true user = sso.lookup_or_create_user(ip_address) @@ -567,7 +567,7 @@ describe DiscourseSingleSignOn do # yes override if site setting sso.bio = "new profile 2" - SiteSetting.sso_overrides_bio = true + SiteSetting.discourse_connect_overrides_bio = true user = sso.lookup_or_create_user(ip_address) expect(user.user_profile.bio_cooked).to match_html("

new profile 2 "true", - "sso_url" => sso_url + "enable_discourse_connect" => "true", + "discourse_connect_url" => sso_url ) end end diff --git a/spec/services/user_updater_spec.rb b/spec/services/user_updater_spec.rb index 7ed290999e5..717bc0aa5d5 100644 --- a/spec/services/user_updater_spec.rb +++ b/spec/services/user_updater_spec.rb @@ -267,9 +267,9 @@ describe UserUpdater do context 'when sso overrides bio' do it 'does not change bio' do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true - SiteSetting.sso_overrides_bio = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true + SiteSetting.discourse_connect_overrides_bio = true user = Fabricate(:user) updater = UserUpdater.new(acting_user, user) @@ -283,9 +283,9 @@ describe UserUpdater do context 'when sso overrides location' do it 'does not change location' do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true - SiteSetting.sso_overrides_location = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true + SiteSetting.discourse_connect_overrides_location = true user = Fabricate(:user) updater = UserUpdater.new(acting_user, user) @@ -299,9 +299,9 @@ describe UserUpdater do context 'when sso overrides website' do it 'does not change website' do - SiteSetting.sso_url = "https://www.example.com/sso" - SiteSetting.enable_sso = true - SiteSetting.sso_overrides_website = true + SiteSetting.discourse_connect_url = "https://www.example.com/sso" + SiteSetting.enable_discourse_connect = true + SiteSetting.discourse_connect_overrides_website = true user = Fabricate(:user) updater = UserUpdater.new(acting_user, user)