Skip to content

Commit

Permalink
Lock user instead
Browse files Browse the repository at this point in the history
  • Loading branch information
oliverguenther committed Nov 26, 2024
1 parent 743f62d commit 834d8c5
Show file tree
Hide file tree
Showing 9 changed files with 38 additions and 66 deletions.
22 changes: 7 additions & 15 deletions app/seeders/admin_user_seeder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,14 @@
#++
class AdminUserSeeder < Seeder
def seed_data!
if Setting.seed_admin_user_enabled?
seed_admin!
user = new_admin
if user.save!(validate: false)
seed_data.store_reference(:openproject_admin, user)
else
Seeder.logger.debug { " *** skipped as explicity disabled with OPENPROJECT_SEED_ADMIN_USER_ENABLED" }
print_error "Seeding admin failed:"
user.errors.full_messages.each do |msg|
print_error " #{msg}"
end
end
end

Expand All @@ -46,18 +50,6 @@ def not_applicable_message
"No need to seed an admin as there already is one."
end

def seed_admin!
user = new_admin
if user.save!(validate: false)
seed_data.store_reference(:openproject_admin, user)
else
print_error "Seeding admin failed:"
user.errors.full_messages.each do |msg|
print_error " #{msg}"
end
end
end

def new_admin # rubocop:disable Metrics/AbcSize
User.new.tap do |user|
user.admin = true
Expand Down
5 changes: 5 additions & 0 deletions app/seeders/root_seeder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,11 @@ def do_seed!
seed_development_data if seed_development_data?
seed_plugins_data
seed_env_data
cleanup_seed_data
end

def cleanup_seed_data
admin_user.lock! if Setting.seed_admin_user_locked?
end

def seed_development_data?
Expand Down
2 changes: 1 addition & 1 deletion app/seeders/seeder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ def not_applicable_message

# The user being the author of all data created during seeding.
def admin_user
@admin_user ||= (User.not_builtin.admin.first || User.system)
@admin_user ||= User.not_builtin.admin.first
end

protected
Expand Down
8 changes: 4 additions & 4 deletions config/constants/settings/definition.rb
Original file line number Diff line number Diff line change
Expand Up @@ -923,10 +923,10 @@ class Definition
default: "https://releases.openproject.com/v1/check.svg",
writable: false
},
seed_admin_user_enabled: {
description: "Enable creating the admin user on first startup. " \
"If set to false, an admin user has to be created manually.",
default: true,
seed_admin_user_locked: {
description: "Lock the created admin user after seeding, so it can not be used for logging in. " \
"If set to true, an admin user has to be created manually or through an SSO provider.",
default: false,
writable: false
},
seed_admin_user_password: {
Expand Down
6 changes: 4 additions & 2 deletions docs/installation-and-operations/configuration/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,14 +173,16 @@ OPENPROJECT_SEED_ADMIN_USER_NAME="OpenProject Admin" # Name to assign to that us
OPENPROJECT_SEED_ADMIN_USER_MAIL="[email protected]" # Email attribute to assign to that user. Note that in packaged installations, a wizard step will assign this variable as well.
```

Optionally, you can also completely disable the creation of such a user.
Optionally, you can also lock the admin user that gets created right away. This is useful when you have an LDAP or SSO integration set up and you want to prevent the admin user from logging in.

```shell

> [!WARNING]
> With the admin user seeding disabled, you need to have an LDAP or SSO integration set up through environment variables.
> Otherwise, you will not be able to retain access to the system.

```shell
OPENPROJECT_SEED_ADMIN_USER_DISABLED="true"
OPENPROJECT_SEED_ADMIN_USER_LOCKED="true"
```

### Seeding LDAP connections
Expand Down
19 changes: 6 additions & 13 deletions modules/bim/spec/seeders/root_seeder_bim_edition_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -250,33 +250,26 @@ def group_name(reference)
include_examples "no email deliveries"
end

context "when admin user creation is disabled with OPENPROJECT_SEED_ADMIN_USER_ENABLED=false",
context "when admin user creation is locked with OPENPROJECT_SEED_ADMIN_USER_LOCKED=true",
:settings_reset do
shared_let(:root_seeder) { described_class.new }

before_all do
with_env("OPENPROJECT_SEED_ADMIN_USER_ENABLED" => "false") do
with_env("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true") do
with_edition("bim") do
reset(:seed_admin_user_enabled)
reset(:seed_admin_user_locked)
root_seeder.seed_data!
end
end
ensure
reset(:seed_admin_user_enabled)
reset(:seed_admin_user_locked)
RequestStore.clear! # resets `User.current` cached result
end

it "creates the system user" do
expect(SystemUser.where(admin: true).count).to eq 1
end

it "does not create an admin user" do
expect(User.not_builtin.where(admin: true).count).to eq 0
end

it "seeds without any errors" do
it "seeds without any errors, but locks the admin user", :aggregate_failures do
expect(Project.count).to eq 4
expect(WorkPackage.count).to eq 76
expect(root_seeder.admin_user).to be_locked
end
end
end
13 changes: 1 addition & 12 deletions spec/seeders/admin_user_seeder_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,18 +39,6 @@
expect { seeder.seed! }.to change { User.admin.count }.by(1)
end

context "when skipped with OPENPROJECT_SEED_ADMIN_USER_ENABLED=false",
:settings_reset,
with_env: {
OPENPROJECT_SEED_ADMIN_USER_ENABLED: "false"
} do
it "skips the creation" do
reset(:seed_admin_user_enabled)

expect { seeder.seed! }.not_to change { User.admin.count }
end
end

context "when providing admin user seed variables",
:settings_reset,
with_env: {
Expand All @@ -68,6 +56,7 @@
seeder.seed!

admin = User.admin.last
expect(admin).to be_active
expect(admin.firstname).to eq "foo"
expect(admin.lastname).to eq "bar"
expect(admin.mail).to eq "[email protected]"
Expand Down
19 changes: 6 additions & 13 deletions spec/seeders/root_seeder_standard_edition_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -287,33 +287,26 @@
include_examples "no email deliveries"
end

context "when admin user creation is disabled with OPENPROJECT_SEED_ADMIN_USER_ENABLED=false",
context "when admin user creation is locked with OPENPROJECT_SEED_ADMIN_USER_LOCKED=true",
:settings_reset do
shared_let(:root_seeder) { described_class.new }

before_all do
with_env("OPENPROJECT_SEED_ADMIN_USER_ENABLED" => "false") do
with_env("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true") do
with_edition("standard") do
reset(:seed_admin_user_enabled)
reset(:seed_admin_user_locked)
root_seeder.seed_data!
end
end
ensure
reset(:seed_admin_user_enabled)
reset(:seed_admin_user_locked)
RequestStore.clear! # resets `User.current` cached result
end

it "creates the system user" do
expect(SystemUser.where(admin: true).count).to eq 1
end

it "does not create an admin user" do
expect(User.not_builtin.where(admin: true).count).to eq 0
end

it "seeds without any errors" do
it "seeds without any errors, but locks the admin user", :aggregate_failures do
expect(Project.count).to eq 2
expect(WorkPackage.count).to eq 36
expect(root_seeder.admin_user).to be_locked
end
end
end
10 changes: 4 additions & 6 deletions spec/seeders/seeder_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,14 @@

describe "#admin_user" do
it "returns the admin created from the seeding" do
expect(seeder.admin_user).to eq(User.system)
expect { AdminUserSeeder.new(seed_data).seed! }.to change { User.admin.count }.by(1)
expect(seeder.admin_user).to eq(User.system)

expect(described_class.new.admin_user).to eq(User.not_builtin.admin.first)
expect(seeder.admin_user).to be_nil
AdminUserSeeder.new(seed_data).seed!
expect(seeder.admin_user).to be_a(User)
end

it "does not return the system user" do
expect { User.system }.to change { User.admin.count }.by(1)
expect(seeder.admin_user).to eq(User.system)
expect(seeder.admin_user).to be_nil
end
end
end

0 comments on commit 834d8c5

Please sign in to comment.