Allow admin auth bypass (#130)

tchapi · Jan 14, 2024 · bf3fc88 · bf3fc88
1 parent 0b0b6f6
commit bf3fc88
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 6 deletions.
diff --git a/.env b/.env
@@ -37,6 +37,9 @@ MAILER_DSN=smtp://localhost:465?encryption=ssl&auth_mode=login&username=&passwor
 # The admin password for the backend
 ADMIN_LOGIN=admin
 ADMIN_PASSWORD=test
+# You can bypass auth entirely by setting this to "true" (case sensitive).
+# Useful if you use an external authorization provider such as Authelia
+ADMIN_AUTH_BYPASS=false
 
 # Auth Realm for HTTP auth
 AUTH_REALM=SabreDAV

diff --git a/README.md b/README.md
@@ -86,6 +86,10 @@ ADMIN_LOGIN=admin
 ADMIN_PASSWORD=test
 ```
 
+> [!NOTE]
+>
+> You can bypass auth entirely if you use a third party authorization provider such as Authelia. In that case, set the `ADMIN_AUTH_BYPASS` env var to `true` (case-sensitive, this is actually the string `true`, not a boolean) to allow full access to the dashboard. This does not change the behaviour of the DAV server.
+
 c. The auth Realm and method for HTTP auth
 
 ```

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -20,7 +20,7 @@ security:
     access_control:
         - { path: ^/$, roles: PUBLIC_ACCESS }
         - { path: ^/dav, roles: PUBLIC_ACCESS }
-        - { path: ^/dashboard, roles: ROLE_ADMIN }
-        - { path: ^/users, roles: ROLE_ADMIN }
-        - { path: ^/calendars, roles: ROLE_ADMIN }
-        - { path: ^/adressbooks, roles: ROLE_ADMIN }
+        - { path: ^/dashboard, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+        - { path: ^/users, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+        - { path: ^/calendars, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+        - { path: ^/adressbooks, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
diff --git a/config/services.yaml b/config/services.yaml
@@ -5,6 +5,7 @@
 # https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
 parameters:
     default_database_driver: "mysql"
+    default_admin_auth_bypass: "false"
     timezone: '%env(APP_TIMEZONE)%'
 
 services:

diff --git a/tests/Functional/DashboardTest.php b/tests/Functional/DashboardTest.php
@@ -51,7 +51,7 @@ public function testLoginIncorrectUsername(): void
         $crawler = $client->followRedirect();
         $this->assertResponseIsSuccessful();
 
-        $this->assertSelectorTextContains('div.alert.alert-danger', 'Username could not be found.');
+        $this->assertSelectorTextContains('div.alert.alert-danger', 'Invalid credentials.');
     }
 
     public function testLoginIncorrectPassword(): void

diff --git a/translations/security.en.xlf b/translations/security.en.xlf
@@ -47,7 +47,7 @@
       </trans-unit>
       <trans-unit id="z3cOUZo" resname="Username could not be found.">
         <source>Username could not be found.</source>
-        <target>Username could not be found.</target>
+        <target>Invalid credentials.</target>
       </trans-unit>
       <trans-unit id="By5eLYM" resname="Account has expired.">
         <source>Account has expired.</source>