mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-03-05 23:57:13 +08:00
184388879d
### What problem does this PR solve? Enterprise deployments that use an external Identity Provider (e.g., Microsoft Entra ID, Okta, Keycloak) need the ability to enforce SSO-only authentication by hiding the email/password login form. Currently, the login page always shows the password form alongside OAuth buttons, with no way to disable it. This PR adds a `disable_password_login` configuration option under the existing `authentication` section in `service_conf.yaml`. When set to `true`, the login page only displays configured OAuth/SSO buttons and hides the email/password form, "Remember me" checkbox, and "Sign up" link. The flag can be set via: - `service_conf.yaml` (`authentication.disable_password_login: true`) - Environment variable (`DISABLE_PASSWORD_LOGIN=true`) Default behavior is unchanged (`false`). ### Behavior | `disable_password_login` | OAuth configured | Result | |---|---|---| | `false` (default) | No | Standard email/password form | | `false` | Yes | Email/password form + SSO buttons below | | `true` | Yes | **SSO buttons only** (no form, no sign up link) | | `true` | No | Empty card (admin should configure OAuth first) | ### Type of change - [x] New Feature (non-breaking change which adds functionality) ### Files changed (5) 1. `docker/service_conf.yaml.template` — added `disable_password_login: false` under authentication 2. `common/settings.py` — added `DISABLE_PASSWORD_LOGIN` global variable and loader in `init_settings()` 3. `common/config_utils.py` — fixed `TypeError` in `show_configs()` when authentication section contains non-dict values (e.g., booleans) 4. `api/apps/system_app.py` — exposed `disablePasswordLogin` flag in `/config` endpoint 5. `web/src/pages/login/index.tsx` — conditionally render password form based on config flag; OAuth buttons always render when channels exist --------- Co-authored-by: Ahmad Intisar <ahmadintisar@Ahmads-MacBook-M4-Pro.local>
155 lines
5.0 KiB
Python
155 lines
5.0 KiB
Python
#
|
|
# Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
import os
|
|
import copy
|
|
import logging
|
|
import importlib
|
|
from filelock import FileLock
|
|
|
|
from common.file_utils import get_project_base_directory
|
|
from common.constants import SERVICE_CONF
|
|
from ruamel.yaml import YAML
|
|
|
|
|
|
def load_yaml_conf(conf_path):
|
|
if not os.path.isabs(conf_path):
|
|
conf_path = os.path.join(get_project_base_directory(), conf_path)
|
|
try:
|
|
with open(conf_path) as f:
|
|
yaml = YAML(typ="safe", pure=True)
|
|
return yaml.load(f)
|
|
except Exception as e:
|
|
raise EnvironmentError("loading yaml file config from {} failed:".format(conf_path), e)
|
|
|
|
|
|
def rewrite_yaml_conf(conf_path, config):
|
|
if not os.path.isabs(conf_path):
|
|
conf_path = os.path.join(get_project_base_directory(), conf_path)
|
|
try:
|
|
with open(conf_path, "w") as f:
|
|
yaml = YAML(typ="safe")
|
|
yaml.dump(config, f)
|
|
except Exception as e:
|
|
raise EnvironmentError("rewrite yaml file config {} failed:".format(conf_path), e)
|
|
|
|
|
|
def conf_realpath(conf_name):
|
|
conf_path = f"conf/{conf_name}"
|
|
return os.path.join(get_project_base_directory(), conf_path)
|
|
|
|
|
|
def read_config(conf_name=SERVICE_CONF):
|
|
local_config = {}
|
|
local_path = conf_realpath(f'local.{conf_name}')
|
|
|
|
# load local config file
|
|
if os.path.exists(local_path):
|
|
local_config = load_yaml_conf(local_path)
|
|
if not isinstance(local_config, dict):
|
|
raise ValueError(f'Invalid config file: "{local_path}".')
|
|
|
|
global_config_path = conf_realpath(conf_name)
|
|
global_config = load_yaml_conf(global_config_path)
|
|
|
|
if not isinstance(global_config, dict):
|
|
raise ValueError(f'Invalid config file: "{global_config_path}".')
|
|
|
|
global_config.update(local_config)
|
|
return global_config
|
|
|
|
|
|
CONFIGS = read_config()
|
|
|
|
|
|
def show_configs():
|
|
msg = f"Current configs, from {conf_realpath(SERVICE_CONF)}:"
|
|
for k, v in CONFIGS.items():
|
|
if isinstance(v, dict):
|
|
if "password" in v:
|
|
v = copy.deepcopy(v)
|
|
v["password"] = "*" * 8
|
|
if "access_key" in v:
|
|
v = copy.deepcopy(v)
|
|
v["access_key"] = "*" * 8
|
|
if "secret_key" in v:
|
|
v = copy.deepcopy(v)
|
|
v["secret_key"] = "*" * 8
|
|
if "secret" in v:
|
|
v = copy.deepcopy(v)
|
|
v["secret"] = "*" * 8
|
|
if "sas_token" in v:
|
|
v = copy.deepcopy(v)
|
|
v["sas_token"] = "*" * 8
|
|
if "oauth" in k:
|
|
v = copy.deepcopy(v)
|
|
for key, val in v.items():
|
|
if "client_secret" in val:
|
|
val["client_secret"] = "*" * 8
|
|
if "authentication" in k:
|
|
v = copy.deepcopy(v)
|
|
for key, val in v.items():
|
|
if isinstance(val, dict) and "http_secret_key" in val:
|
|
val["http_secret_key"] = "*" * 8
|
|
msg += f"\n\t{k}: {v}"
|
|
logging.info(msg)
|
|
|
|
|
|
def get_base_config(key, default=None):
|
|
if key is None:
|
|
return None
|
|
if default is None:
|
|
default = os.environ.get(key.upper())
|
|
return CONFIGS.get(key, default)
|
|
|
|
|
|
def decrypt_database_password(password):
|
|
encrypt_password = get_base_config("encrypt_password", False)
|
|
encrypt_module = get_base_config("encrypt_module", False)
|
|
private_key = get_base_config("private_key", None)
|
|
|
|
if not password or not encrypt_password:
|
|
return password
|
|
|
|
if not private_key:
|
|
raise ValueError("No private key")
|
|
|
|
module_fun = encrypt_module.split("#")
|
|
pwdecrypt_fun = getattr(
|
|
importlib.import_module(
|
|
module_fun[0]),
|
|
module_fun[1])
|
|
|
|
return pwdecrypt_fun(private_key, password)
|
|
|
|
|
|
def decrypt_database_config(database=None, passwd_key="password", name="database"):
|
|
if not database:
|
|
database = get_base_config(name, {})
|
|
|
|
database[passwd_key] = decrypt_database_password(database[passwd_key])
|
|
return database
|
|
|
|
|
|
def update_config(key, value, conf_name=SERVICE_CONF):
|
|
conf_path = conf_realpath(conf_name=conf_name)
|
|
if not os.path.isabs(conf_path):
|
|
conf_path = os.path.join(get_project_base_directory(), conf_path)
|
|
|
|
with FileLock(os.path.join(os.path.dirname(conf_path), ".lock")):
|
|
config = load_yaml_conf(conf_path=conf_path) or {}
|
|
config[key] = value
|
|
rewrite_yaml_conf(conf_path=conf_path, config=config) |