github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-18 19:24:50 -04:00
Code Issues Projects Releases Packages Wiki Activity

Reverted all previous Oauth2 filepath code, thinking is there some better way.

Browse source 
Thanks to xet7 !

Related https://github.com/wekan/wekan/pull/5619,
related https://github.com/wekan/wekan/pull/5616
This commit is contained in:
Lauri Ojansivu 2024-12-13 01:51:42 +02:00
parent 83d22c9ebf
commit c936d83b38
3 changed files with 309 additions and 238 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

527
packages/wekan-oidc/oidc_server.js
View file

@ -1,260 +1,349 @@
import { addGroupsWithAttributes, addEmail, changeFullname, changeUsername } from './loginHandler';
const fs = Npm.require('fs'); // For file handling
import {addGroupsWithAttributes, addEmail, changeFullname, changeUsername} from './loginHandler';
Oidc = {};
httpCa = false;
// Load CA certificate if specified in the environment variable
if (process.env.OAUTH2_CA_CERT !== undefined) {
try {
const fs = Npm.require('fs');
if (fs.existsSync(process.env.OAUTH2_CA_CERT)) {
httpCa = fs.readFileSync(process.env.OAUTH2_CA_CERT);
httpCa = fs.readFileSync(process.env.OAUTH2_CA_CERT);
}
} catch (e) {
console.log('WARNING: failed loading: ' + process.env.OAUTH2_CA_CERT);
console.log(e);
} catch(e) {
console.log('WARNING: failed loading: ' + process.env.OAUTH2_CA_CERT);
console.log(e);
}
}
var profile = {};
var serviceData = {};
var userinfo = {};
// Function to read the allowed emails from a local file specified in the environment variable
var getAllowedEmailsFromFile = function() {
var allowedEmails = [];
const filePath = process.env.OAUTH2_ALLOWEDEMAILS_FILEPATH; // Get the file path from environment variable
if (!filePath) {
throw new Error("OAUTH2_ALLOWEDEMAILS_FILEPATH environment variable is not set.");
}
try {
// Read the allowed emails file
const data = fs.readFileSync(filePath, 'utf-8');
allowedEmails = data.split('\n').map(email => email.trim());
} catch (error) {
console.error("Error reading allowed emails file:", error);
}
return allowedEmails;
};
// OAuth service registration
OAuth.registerService('oidc', 2, null, function (query) {
var debug = process.env.DEBUG === 'true';
var debug = process.env.DEBUG === 'true';
var token = getToken(query);
if (debug) console.log('XXX: register token:', token);
var token = getToken(query);
if (debug) console.log('XXX: register token:', token);
var accessToken = token.access_token || token.id_token;
var expiresAt = (+new Date) + (1000 * parseInt(token.expires_in, 10));
var accessToken = token.access_token || token.id_token;
var expiresAt = (+new Date) + (1000 * parseInt(token.expires_in, 10));
var claimsInAccessToken = (process.env.OAUTH2_ADFS_ENABLED === 'true' ||
process.env.OAUTH2_ADFS_ENABLED === true ||
process.env.OAUTH2_B2C_ENABLED === 'true' ||
process.env.OAUTH2_B2C_ENABLED === true) || false;
var claimsInAccessToken = (process.env.OAUTH2_ADFS_ENABLED === 'true' ||
process.env.OAUTH2_ADFS_ENABLED === true ||
process.env.OAUTH2_B2C_ENABLED === 'true' ||
process.env.OAUTH2_B2C_ENABLED === true) || false;
if (claimsInAccessToken) {
userinfo = getTokenContent(accessToken);
if(claimsInAccessToken)
{
// hack when using custom claims in the accessToken. On premise ADFS. And Azure AD B2C.
userinfo = getTokenContent(accessToken);
}
else
{
// normal behaviour, getting the claims from UserInfo endpoint.
userinfo = getUserInfo(accessToken);
}
if (userinfo.ocs) userinfo = userinfo.ocs.data; // Nextcloud hack
if (userinfo.metadata) userinfo = userinfo.metadata // Openshift hack
if (debug) console.log('XXX: userinfo:', userinfo);
serviceData.id = userinfo[process.env.OAUTH2_ID_MAP]; // || userinfo["id"];
serviceData.username = userinfo[process.env.OAUTH2_USERNAME_MAP]; // || userinfo["uid"];
serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
serviceData.accessToken = accessToken;
serviceData.expiresAt = expiresAt;
// If on Oracle OIM email is empty or null, get info from username
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
if (userinfo[process.env.OAUTH2_EMAIL_MAP]) {
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
} else {
userinfo = getUserInfo(accessToken);
serviceData.email = userinfo[process.env.OAUTH2_USERNAME_MAP];
}
}
if (userinfo.ocs) userinfo = userinfo.ocs.data;
if (userinfo.metadata) userinfo = userinfo.metadata;
if (debug) console.log('XXX: userinfo:', userinfo);
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
}
serviceData.id = userinfo[process.env.OAUTH2_ID_MAP];
serviceData.username = userinfo[process.env.OAUTH2_USERNAME_MAP];
serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP];
serviceData.accessToken = accessToken;
serviceData.expiresAt = expiresAt;
if (process.env.OAUTH2_B2C_ENABLED === 'true' || process.env.OAUTH2_B2C_ENABLED === true) {
serviceData.email = userinfo["emails"][0];
}
// Oracle OIM and B2C checks remain the same
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
if (userinfo[process.env.OAUTH2_EMAIL_MAP]) {
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
} else {
serviceData.email = userinfo[process.env.OAUTH2_USERNAME_MAP];
}
}
if (accessToken) {
var tokenContent = getTokenContent(accessToken);
var fields = _.pick(tokenContent, getConfiguration().idTokenWhitelistFields);
_.extend(serviceData, fields);
}
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
}
if (token.refresh_token)
serviceData.refreshToken = token.refresh_token;
if (debug) console.log('XXX: serviceData:', serviceData);
if (process.env.OAUTH2_B2C_ENABLED === 'true' || process.env.OAUTH2_B2C_ENABLED === true) {
serviceData.email = userinfo["emails"][0];
}
profile.name = userinfo[process.env.OAUTH2_FULLNAME_MAP]; // || userinfo["displayName"];
profile.email = userinfo[process.env.OAUTH2_EMAIL_MAP]; // || userinfo["email"];
if (accessToken) {
var tokenContent = getTokenContent(accessToken);
var fields = _.pick(tokenContent, getConfiguration().idTokenWhitelistFields);
_.extend(serviceData, fields);
}
if (process.env.OAUTH2_B2C_ENABLED === 'true' || process.env.OAUTH2_B2C_ENABLED === true) {
profile.email = userinfo["emails"][0];
}
if (token.refresh_token)
serviceData.refreshToken = token.refresh_token;
if (debug) console.log('XXX: serviceData:', serviceData);
if (debug) console.log('XXX: profile:', profile);
profile.name = userinfo[process.env.OAUTH2_FULLNAME_MAP];
profile.email = userinfo[process.env.OAUTH2_EMAIL_MAP];
if (process.env.OAUTH2_B2C_ENABLED === 'true' || process.env.OAUTH2_B2C_ENABLED === true) {
profile.email = userinfo["emails"][0];
}
//temporarily store data from oidc in user.services.oidc.groups to update groups
serviceData.groups = (userinfo["groups"] && userinfo["wekanGroups"]) ? userinfo["wekanGroups"] : userinfo["groups"];
// groups arriving as array of strings indicate there is no scope set in oidc privider
// to assign teams and keep admin privileges
// data needs to be treated differently.
// use case: in oidc provider no scope is set, hence no group attributes.
// therefore: keep admin privileges for wekan as before
if(Array.isArray(serviceData.groups) && serviceData.groups.length && typeof serviceData.groups[0] === "string" )
{
user = Meteor.users.findOne({'_id': serviceData.id});
if (debug) console.log('XXX: profile:', profile);
serviceData.groups.forEach(function(groupName, i)
{
if(user?.isAdmin && i == 0)
{
// keep information of user.isAdmin since in loginHandler the user will // be updated regarding group admin privileges provided via oidc
serviceData.groups[i] = {"isAdmin": true};
serviceData.groups[i]["displayName"]= groupName;
}
else
{
serviceData.groups[i] = {"displayName": groupName};
}
});
}
// New code: Check if the user's email is in the allowed emails list (only if oauth2-checkemails is true)
if (process.env.OAUTH2_CHECKEMAILS === 'true') {
const allowedEmails = getAllowedEmailsFromFile();
if (!allowedEmails.includes(profile.email)) {
throw new Error("Email not allowed: " + profile.email);
}
}
// Fix OIDC login loop for integer user ID. Thanks to danielkaiser.
// https://github.com/wekan/wekan/issues/4795
Meteor.call('groupRoutineOnLogin',serviceData, ""+serviceData.id);
Meteor.call('boardRoutineOnLogin',serviceData, ""+serviceData.id);
// Temporarily store data from oidc in user.services.oidc.groups to update groups
serviceData.groups = (userinfo["groups"] && userinfo["wekanGroups"]) ? userinfo["wekanGroups"] : userinfo["groups"];
if (Array.isArray(serviceData.groups) && serviceData.groups.length && typeof serviceData.groups[0] === "string") {
user = Meteor.users.findOne({'_id': serviceData.id});
serviceData.groups.forEach(function (groupName, i) {
if (user?.isAdmin && i == 0) {
serviceData.groups[i] = {"isAdmin": true};
serviceData.groups[i]["displayName"] = groupName;
} else {
serviceData.groups[i] = {"displayName": groupName};
}
});
}
// Fix OIDC login loop for integer user ID. Thanks to danielkaiser.
Meteor.call('groupRoutineOnLogin', serviceData, "" + serviceData.id);
Meteor.call('boardRoutineOnLogin', serviceData, "" + serviceData.id);
return {
serviceData: serviceData,
options: { profile: profile }
};
return {
serviceData: serviceData,
options: { profile: profile }
};
});
// Function to retrieve token based on environment
var getToken = function (query) {
var debug = process.env.DEBUG === 'true';
var config = getConfiguration();
var serverTokenEndpoint = config.tokenEndpoint.includes('https://') ?
config.tokenEndpoint : config.serverUrl + config.tokenEndpoint;
var response;
try {
var postOptions = {
headers: {
Accept: 'application/json',
"User-Agent": "Meteor"
},
params: {
code: query.code,
client_id: config.clientId,
client_secret: OAuth.openSecret(config.secret),
redirect_uri: OAuth._redirectUri('oidc', config),
grant_type: 'authorization_code',
state: query.state
}
};
if (httpCa) {
postOptions['npmRequestOptions'] = { ca: httpCa };
}
response = HTTP.post(serverTokenEndpoint, postOptions);
} catch (err) {
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
{ response: err.response });
}
if (response.data.error) {
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
} else {
return response.data;
}
};
// Function to fetch user information from the OIDC service
var getUserInfo = function (accessToken) {
var debug = process.env.DEBUG === 'true';
var config = getConfiguration();
var serverUserinfoEndpoint = config.userinfoEndpoint.includes("https://") ?
config.userinfoEndpoint : config.serverUrl + config.userinfoEndpoint;
var response;
try {
var getOptions = {
headers: {
"User-Agent": "Meteor",
"Authorization": "Bearer " + accessToken
}
};
if (httpCa) {
getOptions['npmRequestOptions'] = { ca: httpCa };
}
response = HTTP.get(serverUserinfoEndpoint, getOptions);
} catch (err) {
throw _.extend(new Error("Failed to fetch userinfo from OIDC " + serverUserinfoEndpoint + ": " + err.message),
{response: err.response});
}
return response.data;
};
// Function to get the configuration of the OIDC service
var getConfiguration = function () {
var config = ServiceConfiguration.configurations.findOne({ service: 'oidc' });
if (!config) {
throw new ServiceConfiguration.ConfigError('Service oidc not configured.');
}
return config;
};
// Function to decode the token content (JWT)
var getTokenContent = function (token) {
var content = null;
if (token) {
try {
var parts = token.split('.');
var header = JSON.parse(Buffer.from(parts[0], 'base64').toString());
content = JSON.parse(Buffer.from(parts[1], 'base64').toString());
} catch (err) {
content = { exp: 0 };
}
}
return content;
var userAgent = "Meteor";
if (Meteor.release) {
userAgent += "/" + Meteor.release;
}
// Meteor methods to update groups and boards on login
Meteor.methods({
'groupRoutineOnLogin': function(info, userId) {
check(info, Object);
check(userId, String);
var propagateOidcData = process.env.PROPAGATE_OIDC_DATA || false;
if (propagateOidcData) {
users = Meteor.users;
user = users.findOne({'services.oidc.id': userId});
if (user) {
if (info.groups) {
addGroupsWithAttributes(user, info.groups);
}
if(info.email) addEmail(user, info.email);
if(info.fullname) changeFullname(user, info.fullname);
if(info.username) changeUsername(user, info.username);
}
}
if (process.env.ORACLE_OIM_ENABLED !== 'true' && process.env.ORACLE_OIM_ENABLED !== true) {
var getToken = function (query) {
var debug = process.env.DEBUG === 'true';
var config = getConfiguration();
if(config.tokenEndpoint.includes('https://')){
var serverTokenEndpoint = config.tokenEndpoint;
}else{
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
}
var requestPermissions = config.requestPermissions;
var response;
try {
var postOptions = {
headers: {
Accept: 'application/json',
"User-Agent": userAgent
},
params: {
code: query.code,
client_id: config.clientId,
client_secret: OAuth.openSecret(config.secret),
redirect_uri: OAuth._redirectUri('oidc', config),
grant_type: 'authorization_code',
state: query.state
}
};
if (httpCa) {
postOptions['npmRequestOptions'] = { ca: httpCa };
}
response = HTTP.post(serverTokenEndpoint, postOptions);
} catch (err) {
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
{ response: err.response });
}
if (response.data.error) {
// if the http response was a json object with an error attribute
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
} else {
if (debug) console.log('XXX: getToken response: ', response.data);
return response.data;
}
};
}
if (process.env.ORACLE_OIM_ENABLED === 'true' || process.env.ORACLE_OIM_ENABLED === true) {
var getToken = function (query) {
var debug = process.env.DEBUG === 'true';
var config = getConfiguration();
if(config.tokenEndpoint.includes('https://')){
var serverTokenEndpoint = config.tokenEndpoint;
}else{
var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
}
var requestPermissions = config.requestPermissions;
var response;
// OIM needs basic Authentication token in the header - ClientID + SECRET in base64
var dataToken=null;
var strBasicToken=null;
var strBasicToken64=null;
dataToken = process.env.OAUTH2_CLIENT_ID + ':' + process.env.OAUTH2_SECRET;
strBasicToken = new Buffer(dataToken);
strBasicToken64 = strBasicToken.toString('base64');
// eslint-disable-next-line no-console
if (debug) console.log('Basic Token: ', strBasicToken64);
try {
var postOptions = {
headers: {
Accept: 'application/json',
"User-Agent": userAgent,
"Authorization": "Basic " + strBasicToken64
},
params: {
code: query.code,
client_id: config.clientId,
client_secret: OAuth.openSecret(config.secret),
redirect_uri: OAuth._redirectUri('oidc', config),
grant_type: 'authorization_code',
state: query.state
}
};
if (httpCa) {
postOptions['npmRequestOptions'] = { ca: httpCa };
}
response = HTTP.post(serverTokenEndpoint, postOptions);
} catch (err) {
throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
{ response: err.response });
}
if (response.data.error) {
// if the http response was a json object with an error attribute
throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
} else {
// eslint-disable-next-line no-console
if (debug) console.log('XXX: getToken response: ', response.data);
return response.data;
}
};
}
var getUserInfo = function (accessToken) {
var debug = process.env.DEBUG === 'true';
var config = getConfiguration();
// Some userinfo endpoints use a different base URL than the authorization or token endpoints.
// This logic allows the end user to override the setting by providing the full URL to userinfo in their config.
if (config.userinfoEndpoint.includes("https://")) {
var serverUserinfoEndpoint = config.userinfoEndpoint;
} else {
var serverUserinfoEndpoint = config.serverUrl + config.userinfoEndpoint;
}
var response;
try {
var getOptions = {
headers: {
"User-Agent": userAgent,
"Authorization": "Bearer " + accessToken
}
};
if (httpCa) {
getOptions['npmRequestOptions'] = { ca: httpCa };
}
response = HTTP.get(serverUserinfoEndpoint, getOptions);
} catch (err) {
throw _.extend(new Error("Failed to fetch userinfo from OIDC " + serverUserinfoEndpoint + ": " + err.message),
{response: err.response});
}
if (debug) console.log('XXX: getUserInfo response: ', response.data);
return response.data;
};
var getConfiguration = function () {
var config = ServiceConfiguration.configurations.findOne({ service: 'oidc' });
if (!config) {
throw new ServiceConfiguration.ConfigError('Service oidc not configured.');
}
return config;
};
var getTokenContent = function (token) {
var content = null;
if (token) {
try {
var parts = token.split('.');
var header = JSON.parse(Buffer.from(parts[0], 'base64').toString());
content = JSON.parse(Buffer.from(parts[1], 'base64').toString());
var signature = Buffer.from(parts[2], 'base64');
var signed = parts[0] + '.' + parts[1];
} catch (err) {
this.content = {
exp: 0
};
}
}
return content;
}
Meteor.methods({
'groupRoutineOnLogin': function(info, userId)
{
check(info, Object);
check(userId, String);
var propagateOidcData = process.env.PROPAGATE_OIDC_DATA || false;
if (propagateOidcData) {
users= Meteor.users;
user = users.findOne({'services.oidc.id': userId});
if(user) {
//updates/creates Groups and user admin privileges accordingly if not undefined
if (info.groups) {
addGroupsWithAttributes(user, info.groups);
}
if(info.email) addEmail(user, info.email);
if(info.fullname) changeFullname(user, info.fullname);
if(info.username) changeUsername(user, info.username);
}
}
}
});
Meteor.methods({
'boardRoutineOnLogin': function(info, userId) {
check(info, Object);
check(userId, String);
// Add board updates here if needed
}
});
'boardRoutineOnLogin': function(info, oidcUserId)
{
check(info, Object);
check(oidcUserId, String);
const defaultBoardParams = (process.env.DEFAULT_BOARD_ID || '').split(':');
const defaultBoardId = defaultBoardParams.shift()
if (!defaultBoardId) return
const board = Boards.findOne(defaultBoardId)
const userId = Users.findOne({ 'services.oidc.id': oidcUserId })?._id
const memberIndex = _.pluck(board?.members, 'userId').indexOf(userId);
if(!board || !userId || memberIndex > -1) return
board.addMember(userId)
board.setMemberPermission(
userId,
defaultBoardParams.contains("isAdmin"),
defaultBoardParams.contains("isNoComments"),
defaultBoardParams.contains("isCommentsOnly"),
defaultBoardParams.contains("isWorker")
)
}
});
Oidc.retrieveCredential = function (credentialToken, credentialSecret) {
return OAuth.retrieveCredential(credentialToken, credentialSecret);
};

10
snap-src/bin/config
View file

@ -3,7 +3,7 @@
# All supported keys are defined here together with descriptions and default values
# list of supported keys
keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS OAUTH2_ALLOWEDEMAILS_FILEPATH OAUTH2_CHECKEMAILS"
keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS"
DESCRIPTION_S3='AWS S3 for files. Example: {"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "eu-west-1"}}'
DEFAULT_S3=""
@ -631,14 +631,6 @@ DESCRIPTION_SAML_ATTRIBUTES="SAML Attributes"
DEFAULT_SAML_ATTRIBUTES=""
KEY_SAML_ATTRIBUTES="saml-attributes"
DESCRIPTION_OAUTH2_CHECKEMAILS="Set whether a local file containing allowed emails is to be checked when logging in with OIDC"
DEFAULT_OAUTH2_CHECKEMAILS="false"
KEY_OAUTH2_CHECKEMAILS="oauth2-checkemails"
DESCRIPTION_OAUTH2_ALLOWEDEMAILS_FILEPATH="Set whether a local file containing allowed emails is to be checked when logging in with OIDC"
DEFAULT_OAUTH2_ALLOWEDEMAILS_FILEPATH=""
KEY_OAUTH2_ALLOWEDEMAILS_FILEPATH="oauth2-allowedemails-filepath"
DESCRIPTION_RESULTS_PER_PAGE="Number of search results to show per page by default"
DEFAULT_RESULTS_PER_PAGE=""
KEY_RESULTS_PER_PAGE="results-per-page"

10
snap-src/bin/wekan-help
View file

@ -661,16 +661,6 @@ echo -e "\n"
echo -e "Wait spinner to use."
echo -e "\t$ snap set $SNAP_NAME wait-spinner='Bounce'"
echo -e "\n"
echo -e "Oauth2 email login restriction local filepath e.g. /root/var/path/to/file.txt"
echo -e "Path to local file containing known emails to be checked on OIDC login"
echo -e "\t$ snap set $SNAP_NAME OAUTH2_ALLOWEDEMAILS_FILEPATH='/root/var/path/to/file.txt'"
echo -e "\t-Leave blank to disable."
echo -e "\n"
echo -e "Oauth2 email login restriction toggle on/off"
echo -e "To enable and disable email verification against a file containing known emails on OIDC login"
echo -e "\t$ snap set $SNAP_NAME OAUTH2_CHECKEMAILS='true'"
echo -e "\t-To disable, set to false."
echo -e "\n"
# parse config file for supported settings keys
echo -e "wekan supports settings keys"
echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"