crowi · lightnet328 · Aug 8, 2020 · Aug 14, 2020 · Jun 19, 2022 · Jun 19, 2022
diff --git a/.eslintrc b/.eslintrc
@@ -38,6 +38,7 @@
     "handle-callback-err": "off",
     "no-console": "off",
     "no-global-assign": "off",
+    "no-use-before-define": "off",
     "node/no-deprecated-api": "off",
     "prettier/prettier": "error",
     "react/prop-types": "off",

diff --git a/README.md b/README.md
@@ -69,6 +69,8 @@ or please write `.env`.
 * `NODE_ENV`: `production` OR `development`.
 * `MONGO_URI`: URI to connect to MongoDB. This parameter is also by `MONGOHQ_URL` OR `MONGOLAB_URI`.
 * `REDIS_URL`: URI to connect to Redis (used for session store and socket.io). This parameter is also by `REDISTOGO_URL`.
+    * Use `rediss://` scheme if you want to TLS connection to Redis.
+    * `REDIS_REJECT_UNAUTHORIZED`: Set "0" if you want to skip the verification of certificate.
 * `ELASTICSEARCH_URI`: URI to connect to Elasticearch.
 * `PASSWORD_SEED`: A password seed used by password hash generator.
 * `SECRET_TOKEN`: A secret key for verifying the integrity of signed cookies.

diff --git a/app.json b/app.json
@@ -19,15 +19,19 @@
       "description": "A password seed is used by password hash generator. ",
       "generator": "secret"
     },
+    "MONGO_URI": {
+      "description": "Uri for MongoDB.",
+      "required": true
+    },
+    "REDIS_REJECT_UNAUTHORIZED": "0",
     "MONGOMS_DISABLE_POSTINSTALL": "1"
   },
   "addons": [
-    "mongolab",
-    "redistogo",
+    "heroku-redis",
     {
       "plan": "bonsai",
       "options": {
-        "version": "7.2"
+        "version": "7.10.2"
       }
     }
   ]

diff --git a/client/components/Admin/App/AppPage.tsx b/client/components/Admin/App/AppPage.tsx
@@ -3,6 +3,7 @@ import React, { useContext, useState, useEffect } from 'react'
 import { AdminContext } from 'components/Admin/AdminPage'
 import AppSettings from './AppSettings'
 import SecuritySettings from './SecuritySettings'
+import AuthSettings from './AuthSettings'
 import MailSettings from './MailSettings'
 import AWSSettings from './AWSSettings'
 import GoogleSettings from './GoogleSettings'
@@ -66,6 +67,7 @@ export default function AppPage() {
       <>
         <AppSettings isUploadable={isUploadable} {...getProps('app')} />
         <SecuritySettings registrationMode={registrationMode} {...getProps('sec')} />
+        <AuthSettings {...getProps('auth')} />
         <MailSettings {...getProps('mail')} />
         <AWSSettings {...getProps('aws')} />
         <GoogleSettings {...getProps('google')} />

diff --git a/client/components/Admin/App/AuthSettings.tsx b/client/components/Admin/App/AuthSettings.tsx
@@ -0,0 +1,68 @@
+import React, { useState, FC } from 'react'
+import { useTranslation } from 'react-i18next'
+import { Alert, Button, FormText, CustomInput } from 'reactstrap'
+import FormRow from '../FormRow'
+
+interface Props {
+  settingForm: object
+  update: (settings: object) => void
+  alert: {
+    status: string
+    show: boolean
+    message: string
+  }
+}
+
+const AuthSettings: FC<Props> = ({ settingForm, update, alert }) => {
+  const [t] = useTranslation()
+  const [requireThirdPartyAuth, setRequireThirdPartyAuth] = useState(!!settingForm['auth:requireThirdPartyAuth'])
+  const [disablePasswordAuth, setDisablePasswordAuth] = useState(!!settingForm['auth:disablePasswordAuth'])
+
+  const handleSubmit = (e) => {
+    e.preventDefault()
+    update({
+      'auth:requireThirdPartyAuth': requireThirdPartyAuth,
+      'auth:disablePasswordAuth': disablePasswordAuth,
+    })
+  }
+
+  return (
+    <form className="form-horizontal" role="form" >
+      <fieldset>
+        <legend>{t('admin.auth.legend')}</legend>
+
+        <Alert color={alert.status} isOpen={!!alert.show}>
+          {alert.message}
+        </Alert>
+
+        <FormRow>
+          <CustomInput
+            type="checkbox"
+            id="requireThirdPartyAuth"
+            label={t('admin.auth.require_third_party_auth')}
+            checked={requireThirdPartyAuth}
+             => setRequireThirdPartyAuth((requireThirdPartyAuth) => !requireThirdPartyAuth)}
+          />
+          <FormText color="muted">{t('admin.auth.require_third_party_auth_help')}</FormText>
+        </FormRow>
+
+        <FormRow>
+          <CustomInput
+            type="checkbox"
+            id="disablePasswordAuth"
+            label={t('admin.auth.disable_password_auth')}
+            checked={disablePasswordAuth}
+             => setDisablePasswordAuth((disablePasswordAuth) => !disablePasswordAuth)}
+          />
+          <FormText color="muted">{t('admin.auth.disable_password_auth_help')}</FormText>
+        </FormRow>
+
+        <FormRow>
+          <Button color="primary">{t('Update')}</Button>
+        </FormRow>
+      </fieldset>
+    </form>
+  )
+}
+
+export default AuthSettings
diff --git a/jest.config.js b/jest.config.js
@@ -104,11 +104,13 @@ module.exports = {
     {
       displayName: 'client/ts',
       testMatch: ['<rootDir>/client/**/*.test.ts'],
+      testEnvironment: 'jsdom',
     },
     {
       displayName: 'client/tsx',
       setupFilesAfterEnv: ['./client/test/setup.ts'],
       testMatch: ['<rootDir>/client/**/*.test.tsx'],
+      testEnvironment: 'jsdom',
     },
   ],
 

diff --git a/lib/crowi/index.test.ts b/lib/crowi/index.test.ts
@@ -30,4 +30,21 @@ describe('Test for Crowi application context', () => {
       expect(crowi.getMongo().connection.readyState).toBe(1)
     })
   })
+
+  describe('buildRedisOpts', () => {
+    const table: [string, boolean, object][] = [
+      ['redis://localhost:6379', true, { host: 'localhost', port: '6379' }],
+      ['redis://localhost:6379', false, { host: 'localhost', port: '6379' }],
+
+      ['redis://user:password@localhost:6379', true, { host: 'localhost', port: '6379', password: 'password' }],
+      ['redis://user:password@localhost:6379', false, { host: 'localhost', port: '6379', password: 'password' }],
+
+      ['rediss://localhost:6379', true, { host: 'localhost', port: '6379', tls: { requestCert: true, rejectUnauthorized: true } }],
+      ['rediss://localhost:6379', false, { host: 'localhost', port: '6379', tls: { requestCert: true, rejectUnauthorized: false } }],
+    ]
+
+    test.each(table)('parse %s', (url, redisRejectUnauthorized, expected) => {
+      expect(crowi.buildRedisOpts(url, redisRejectUnauthorized)).toStrictEqual(expected)
+    })
+  })
 })
diff --git a/lib/crowi/index.ts b/lib/crowi/index.ts
@@ -116,8 +116,11 @@ class Crowi {
     this.baseUrl = this.env.BASE_URL || null
     this.node_env = this.env.NODE_ENV || 'production'
     this.port = this.env.PORT ? Number.parseInt(this.env.PORT) : 3000
-    this.redisUrl = this.env.REDISTOGO_URL || this.env.REDIS_URL || null
-    this.redisOpts = this.buildRedisOpts(this.redisUrl)
+    // Remove REDISTOGO_URL in the near future.
+    this.redisUrl = this.env.REDISTOGO_URL || this.env.REDIS_TLS_URL || this.env.REDIS_URL || null
+
+    const redisRejectUnauthorized = this.env.REDIS_REJECT_UNAUTHORIZED !== '0'
+    this.redisOpts = this.buildRedisOpts(this.redisUrl, redisRejectUnauthorized)
 
     this.rootDir = rootdir
     this.pluginDir = path.join(this.rootDir, 'node_modules') + sep
@@ -198,12 +201,20 @@ class Crowi {
     return this.env
   }
 
-  buildRedisOpts(redisUrl: string | null) {
+  buildRedisOpts(redisUrl: string | null, redisRejectUnauthorized: boolean) {
     if (redisUrl) {
-      const { hostname: host, port, auth } = url.parse(redisUrl)
+      const { hostname: host, port, auth, protocol } = url.parse(redisUrl)
       const password = auth ? { password: auth.split(':')[1] } : {}
-      return { host, port, ...password }
+
+      const tls: object | null = protocol === 'rediss:' ? { requestCert: true, rejectUnauthorized: redisRejectUnauthorized } : null
+
+      if (tls === null) {
+        return { host, port, ...password }
+      }
+
+      return { host, port, tls, ...password }
     }
+
     return null
   }
 

diff --git a/lib/pages/Me/GitHubWidget.tsx b/lib/pages/Me/GitHubWidget.tsx
@@ -29,7 +29,7 @@ const GitHubWidget: FC<Props> = (props) => {
           name="disconnectGitHub"
           className="btn btn-secondary"
           defaultValue={i18n.t('Disconnect') as any}
-          disabled={context.auth.canDisconnectThirdPartyId}
+          disabled={!context.auth.canDisconnectThirdPartyId}
         />
       }
       disconnectMessages={[i18n.t('page_me.form_help.github_disconnect1'), i18n.t('page_me.form_help.github_disconnect2')]}

diff --git a/lib/pages/Me/GoogleWidget.tsx b/lib/pages/Me/GoogleWidget.tsx
@@ -29,7 +29,7 @@ const GoogleWidget: FC<Props> = (props) => {
           name="disconnectGoogle"
           className="btn btn-secondary"
           defaultValue={i18n.t('Disconnect') as any}
-          disabled={context.auth.canDisconnectThirdPartyId}
+          disabled={!context.auth.canDisconnectThirdPartyId}
         />
       }
       disconnectMessages={[i18n.t('page_me.form_help.google_disconnect1'), i18n.t('page_me.form_help.google_disconnect2')]}

diff --git a/lib/pages/Me/ProviderWidget.tsx b/lib/pages/Me/ProviderWidget.tsx
@@ -39,7 +39,7 @@ const ProviderWidget: FC<Props> = (props) => {
                     <br />
                     {disconnectMessages[1]}
                   </p>
-                  {context.auth.canDisconnectThirdPartyId && <p className="form-text text-muted">{i18n.t('page_me.can_not_disconnect')}</p>}
+                  {!context.auth.canDisconnectThirdPartyId && <p className="form-text text-muted">{i18n.t('page_me.can_not_disconnect')}</p>}
                 </div>
               ) : (
                 <div className="col-sm-12">

diff --git a/lib/test/crowi-environment.js b/lib/test/crowi-environment.js
@@ -1,3 +1,4 @@
+import 'regenerator-runtime/runtime'
 const NodeEnvironment = require('jest-environment-node')
 const { MongoMemoryServer } = require('mongodb-memory-server')
 const path = require('path')

diff --git a/locales/en-US/translation.yml b/locales/en-US/translation.yml
@@ -311,6 +311,12 @@ admin:
     whitelist_placeholder: 'Ex. mail@crowi.wiki'
     whitelist_description1: You can limit the domain of email addresses that can be registered. For example, if you use crowi.wiki domain in your company, you can write <1>@crowi.wiki</1>, which means that only people with that company's email address can register.
     whitelist_description2: Please input one email address per line.
+  auth:
+    legend: 認証設定
+    require_third_party_auth: 外部認証の設定を必須にする
+    require_third_party_auth_help: 外部認証を設定していないユーザーがログインした場合、またはページ遷移した場合に外部認証の設定を要求します。
+    disable_password_auth: パスワードによるログインを禁止する
+    disable_password_auth_help: 外部認証以外でログインすることができなくなります。
   backlink:
     legend: Backlinks Build
     build: Build Now
@@ -372,7 +378,7 @@ admin:
         checkbox: Send invitation by email
         submit: Submit
       modal:
-        completed_message: Successfully invited new users! 
+        completed_message: Successfully invited new users!
         temp_password: The new users have temporary passwords.
         caution_password: Please note you will not be able to recover the temporary passwords once you close this message.
         caution_without_email: You need to share the temporary passwords with invited users if you have not sent invitations via email.

diff --git a/locales/ja/translation.yml b/locales/ja/translation.yml
@@ -311,6 +311,12 @@ admin:
     whitelist_placeholder: '例: mail@crowi.wiki'
     whitelist_description1: 登録可能なメールアドレスを制限することができます。例えば、会社で使う場合、<1>@crowi.wiki</1>などと記載すると、その会社のメールアドレスを持っている人のみ登録可能になります。
     whitelist_description2: 1行に1メールアドレス入力してください。
+  auth:
+    legend: 認証設定
+    require_third_party_auth: 外部認証の設定を必須にする
+    require_third_party_auth_help: 外部認証を設定していないユーザーがログインした場合、またはページ遷移した場合に外部認証の設定を要求します。
+    disable_password_auth: パスワードによるログインを禁止する
+    disable_password_auth_help: 外部認証以外でログインすることができなくなります。
   backlink:
     legend: バックリンク構築
     build: Build Now