diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 2d01b2db..78e0cdf2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -25,8 +25,8 @@ def current_user def authentication_required unless current_user - if User.none? && !Rails.configuration.hdm.authentication_disabled - redirect_to new_user_path, notice: 'Please create an admin user first.' + if admin_user_missing? + redirect_to initial_setup_path, notice: 'Please create an admin user first.' else redirect_to login_path end @@ -48,4 +48,8 @@ def display_error_page(error) def access_denied render file: Rails.public_path.join('403.html'), status: :forbidden, layout: false end + + def admin_user_missing? + User.none? && !Rails.configuration.hdm.authentication_disabled + end end diff --git a/app/controllers/page_controller.rb b/app/controllers/page_controller.rb index bb20900f..53a884cc 100644 --- a/app/controllers/page_controller.rb +++ b/app/controllers/page_controller.rb @@ -4,8 +4,10 @@ class PageController < ApplicationController add_breadcrumb "Home", :root_path def index - if User.none? - redirect_to new_user_path, notice: 'Please create an admin user first.' + if admin_user_missing? + redirect_to initial_setup_path end end + + def initial_setup; end end diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index a72bd97c..2455554f 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -41,4 +41,8 @@ def user_deletion_confirmation(user) def role_badge_color(role) ROLE_BADGE_COLORS[role] end + + def external_auth_configured? + Ldap.configured? || Saml.configured? + end end diff --git a/app/models/ability.rb b/app/models/ability.rb index 4f41505f..4d8ad38a 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -32,7 +32,7 @@ def initialize(user) # See the wiki for details: # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities - if User.none? + if user.blank? && User.none? can :create, User else return if user.blank? diff --git a/app/views/page/index.html.erb b/app/views/page/index.html.erb index c32d2dfe..5265ccba 100644 --- a/app/views/page/index.html.erb +++ b/app/views/page/index.html.erb @@ -1,25 +1,43 @@ -<%= image_tag "logo_full.png", alt: "Hiera Data Manager logo", width: "50%" %> -

HDM is a webfrontend for visualizing and managing Hiera data.

-<% unless current_user %> - <%= render template: "sessions/new" %> -<% else %> - <% if User.count == 1 && current_user.admin? %> -

First Step: Create a User

-

Your account (<%= current_user.email %>) has admin priviliges which allow to manage users but which do not - allow to manage the puppet configuration.

-

=> <%= link_to "Create a new user", new_user_path %> who is not an admin to - get access to the puppet configuration.

- <% end %> - <% if can? :index, Environment %> - <%= link_to environments_path, class: "btn btn-primary" do %> - <%= icon "list" %> - Show Environments +
+
+ <% unless current_user %> + <%= render template: "sessions/new" %> + <% else %> + <% if User.count == 1 && current_user.admin? %> + <% if external_auth_configured? %> +

Welcome

+

You can now create additional admin users or setup groups for finer grained access control.

+

Or sign out to now to login as a regular user authenticated via your external authentication source (LDAP/AD/SSO).

+ <%= link_to logout_path, class: "btn btn-primary" do %> + <%= icon "box-arrow-right" %> + Sign out now + <% end %> +

+ <% else %> +

First Step: Create a User

+

Your account (<%= current_user.email %>) has admin priviliges which allow to manage users but which do not + allow to manage the puppet configuration.

+

=> <%= link_to "Create a new user", new_user_path %> who is not an admin to + get access to the puppet configuration.

+ <% end %> + <% end %> + <% if can? :index, Environment %> + <%= link_to environments_path, class: "btn btn-primary" do %> + <%= icon "list" %> + Show Environments + <% end %> + <% end %> + <% if can? :create, User %> + <%= link_to users_path, class: "btn btn-primary" do %> + <%= icon "people" %> + Manage Users + <% end %> + <% end %> <% end %> - <% end %> - <% if can? :create, User %> - <%= link_to users_path, class: "btn btn-primary" do %> - <%= icon "people" %> - Manage Users - <% end %> - <% end %> -<% end %> +
+
+ <%= image_tag "logo_full.png", alt: "Hiera Data Manager logo", width: "80%" %> +

HDM is a webfrontend for visualizing and managing Hiera data.

+
+
+ diff --git a/app/views/page/initial_setup.html.erb b/app/views/page/initial_setup.html.erb new file mode 100644 index 00000000..2eb9e0d1 --- /dev/null +++ b/app/views/page/initial_setup.html.erb @@ -0,0 +1,40 @@ +
+
+

Welcome to HDM

+ +

+ To get started, you need to create an admin user. Admin user credentials + are kept in a local database. Admin users can create new regular users + and manage access rules. Admin users cannot access Hiera data. +

+ +

+ <%= link_to "Create admin user", new_user_path, class: "btn btn-primary" %> +

+ + <% if external_auth_configured? %> +

+ You have already configured external authentication resources, so once + an admin user is created setup is complete. +

+ <% else %> +

+ Regular users, stored in the local database, can be managed by an + admin user. Alternatively you can configure LDAP/AD or SAML (SSO) as + a source of authentication for regular users. +

+ +

+ LDAP/AD or SAML can be configured in config/hdm.yml. + Have a look at + <%= link_to "examples here", "https://github.com/betadots/hdm/blob/92219b98f48e29d9c2c9b64d8b8f0996e58d88c5/config/hdm.yml.template#L55-L80" %>. + Remember to restart HDM when making changes to config/hdm.yml. +

+ <% end %> +
+
+ <%= image_tag "logo_full.png", alt: "Hiera Data Manager logo", width: "80%" %> +

HDM is a webfrontend for visualizing and managing Hiera data.

+
+
+ diff --git a/config/routes.rb b/config/routes.rb index ee1cbd23..cfd07c37 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -48,11 +48,11 @@ resource :ldap_session, only: [:new, :create] resource :saml_session, only: [:new, :create] - get 'page/index' + get '/signup', to: 'users#new', as: 'signup' + get '/login', to: 'sessions#new', as: 'login' + get '/logout', to: 'sessions#destroy', as: 'logout' - get 'signup', to: 'users#new', as: 'signup' - get 'login', to: 'sessions#new', as: 'login' - get 'logout', to: 'sessions#destroy', as: 'logout' + get '/initial_setup', to: 'page#initial_setup', as: :initial_setup root to: 'page#index' end diff --git a/test/controllers/page_controller_test.rb b/test/controllers/page_controller_test.rb index adff6dae..a3572d08 100644 --- a/test/controllers/page_controller_test.rb +++ b/test/controllers/page_controller_test.rb @@ -1,15 +1,22 @@ require 'test_helper' class PageControllerTest < ActionDispatch::IntegrationTest - test "system without an existing user shouldn't get index but new user form" do + test "system without an existing user shouldn't get index but initial setup page" do User.destroy_all - get page_index_url - assert_redirected_to new_user_path + get root_url + assert_redirected_to initial_setup_path end test "system with existing user should get index" do FactoryBot.create(:user) - get page_index_url + get root_url assert_response :success end + + test "system with authentication disabled should get index" do + Rails.configuration.hdm["authentication_disabled"] = true + get root_url + assert_response :success + Rails.configuration.hdm["authentication_disabled"] = nil + end end