diff --git a/Makefile b/Makefile index 1c185505c..be49c9a8f 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Version of LRS Admin UI to use -LRS_ADMIN_UI_VERSION ?= v0.1.14 +LRS_ADMIN_UI_VERSION ?= v0.1.15 LRS_ADMIN_UI_LOCATION ?= https://github.com/yetanalytics/lrs-admin-ui/releases/download/${LRS_ADMIN_UI_VERSION}/lrs-admin-ui.zip LRS_ADMIN_ZIPFILE ?= lrs-admin-ui-${LRS_ADMIN_UI_VERSION}.zip diff --git a/doc/env_vars.md b/doc/env_vars.md index acea63c26..6ce24a400 100644 --- a/doc/env_vars.md +++ b/doc/env_vars.md @@ -148,6 +148,7 @@ _NOTE:_ `LRSQL_STMT_RETRY_LIMIT` and `LRSQL_STMT_RETRY_BUDGET` are used to mitig | `LRSQL_JWT_NO_VAL_ISSUER` | `jwtNoValIssuer` | (**DANGEROUS!** See `LRSQL_JWT_NO_VAL`) This variable configures which claim key to use for the issuer when token validation is turned off. | Not Set | | `LRSQL_JWT_NO_VAL_ROLE_KEY` | `jwtNoValRoleKey` | (**DANGEROUS!** See `LRSQL_JWT_NO_VAL`) This variable configures which claim key to look in for the role when token validation is turned off. | Not Set | | `LRSQL_JWT_NO_VAL_ROLE` | `jwtNoValRole` | (**DANGEROUS!** See `LRSQL_JWT_NO_VAL`) This variable configures what role must be present in the key above when token validation is turned off. | Not Set | +| `LRSQL_JWT_NO_VAL_LOGOUT_URL` | `jwtNoValLogoutUrl` | (**DANGEROUS!** See `LRSQL_JWT_NO_VAL`) This variable specifies a logout URL that the client will redirect to on user logout when token validation is turned off. | Not Set | #### OIDC diff --git a/resources/lrsql/config/prod/default/webserver.edn b/resources/lrsql/config/prod/default/webserver.edn index ac79d20b1..d85d440e3 100644 --- a/resources/lrsql/config/prod/default/webserver.edn +++ b/resources/lrsql/config/prod/default/webserver.edn @@ -11,6 +11,7 @@ :jwt-no-val-issuer #or [#env LRSQL_JWT_NO_VAL_ISSUER nil] :jwt-no-val-role-key #or [#env LRSQL_JWT_NO_VAL_ROLE_KEY nil] :jwt-no-val-role #or [#env LRSQL_JWT_NO_VAL_ROLE nil] + :jwt-no-val-logout-url #or [#env LRSQL_JWT_NO_VAL_LOGOUT_URL nil] :sec-head-hsts #or [#env LRSQL_SEC_HEAD_HSTS nil] :sec-head-frame #or [#env LRSQL_SEC_HEAD_FRAME nil] :sec-head-content-type #or [#env LRSQL_SEC_HEAD_CONTENT_TYPE nil] diff --git a/resources/lrsql/config/test/default/webserver.edn b/resources/lrsql/config/test/default/webserver.edn index f4df49cf4..0ba23e966 100644 --- a/resources/lrsql/config/test/default/webserver.edn +++ b/resources/lrsql/config/test/default/webserver.edn @@ -9,6 +9,7 @@ :jwt-no-val-issuer nil :jwt-no-val-role-key nil :jwt-no-val-role nil + :jwt-no-val-logout-url nil :enable-http true :enable-http2 true :ssl-port 8443 diff --git a/src/main/lrsql/admin/interceptors/ui.clj b/src/main/lrsql/admin/interceptors/ui.clj index 2be3c86df..a3b0a10ab 100644 --- a/src/main/lrsql/admin/interceptors/ui.clj +++ b/src/main/lrsql/admin/interceptors/ui.clj @@ -15,7 +15,12 @@ config to inject: :enable-admin-status - boolean, determines if the admin status endpoint is enabled." - [{:keys [enable-admin-delete-actor enable-admin-status enable-reactions no-val? proxy-path] + [{:keys [enable-admin-delete-actor + enable-admin-status + enable-reactions + no-val? + no-val-logout-url + proxy-path] :or {enable-admin-delete-actor false enable-admin-status false enable-reactions false @@ -32,11 +37,14 @@ {:status 200 :body (merge - {:url-prefix url-prefix - :proxy-path proxy-path - :enable-stmt-html (some? enable-stmt-html) - :enable-admin-delete-actor enable-admin-delete-actor - :enable-admin-status enable-admin-status - :enable-reactions enable-reactions - :no-val? no-val?} + (cond-> {:url-prefix url-prefix + :proxy-path proxy-path + :enable-stmt-html (some? enable-stmt-html) + :enable-admin-delete-actor enable-admin-delete-actor + :enable-admin-status enable-admin-status + :enable-reactions enable-reactions + :no-val? no-val?} + (and no-val? + (not-empty no-val-logout-url)) + (assoc :no-val-logout-url no-val-logout-url)) oidc-env)})))})) diff --git a/src/main/lrsql/admin/routes.clj b/src/main/lrsql/admin/routes.clj index e7265246f..d9daed464 100644 --- a/src/main/lrsql/admin/routes.clj +++ b/src/main/lrsql/admin/routes.clj @@ -190,6 +190,7 @@ no-val-uname no-val-role-key no-val-role + no-val-logout-url enable-admin-delete-actor enable-admin-ui enable-admin-status @@ -205,11 +206,11 @@ routes] (let [common-interceptors (make-common-interceptors lrs head-opts) common-interceptors-oidc (into common-interceptors oidc-interceptors) - no-val-opts {:no-val? no-val? - :no-val-uname no-val-uname - :no-val-issuer no-val-issuer + no-val-opts {:no-val? no-val? + :no-val-uname no-val-uname + :no-val-issuer no-val-issuer :no-val-role-key no-val-role-key - :no-val-role no-val-role}] + :no-val-role no-val-role}] (cset/union routes (when enable-account-routes (admin-account-routes @@ -220,10 +221,11 @@ (admin-ui-routes (into common-interceptors oidc-ui-interceptors) - {:enable-admin-status enable-admin-status - :enable-reactions enable-reaction-routes - :no-val? no-val? - :proxy-path proxy-path + {:enable-admin-status enable-admin-status + :enable-reactions enable-reaction-routes + :no-val? no-val? + :no-val-logout-url no-val-logout-url + :proxy-path proxy-path :enable-admin-delete-actor enable-admin-delete-actor})) (when enable-admin-status (admin-status-routes @@ -232,4 +234,5 @@ (admin-reaction-routes common-interceptors secret leeway no-val-opts)) (when enable-admin-delete-actor - (admin-lrs-management-routes common-interceptors-oidc secret leeway no-val-opts))))) + (admin-lrs-management-routes + common-interceptors-oidc secret leeway no-val-opts))))) diff --git a/src/main/lrsql/spec/config.clj b/src/main/lrsql/spec/config.clj index b0b9268e6..943a8883c 100644 --- a/src/main/lrsql/spec/config.clj +++ b/src/main/lrsql/spec/config.clj @@ -158,6 +158,7 @@ (s/def ::jwt-no-val-issuer (s/nilable string?)) (s/def ::jwt-no-val-role-key (s/nilable string?)) (s/def ::jwt-no-val-role (s/nilable string?)) +(s/def ::jwt-no-val-logout-url (s/nilable string?)) (s/def ::key-file string?) ; TODO: correct file extension/path? (s/def ::key-alias string?) @@ -225,6 +226,7 @@ ::jwt-no-val-issuer ::jwt-no-val-role ::jwt-no-val-role-key + ::jwt-no-val-logout-url ::sec-head-hsts ::sec-head-frame ::sec-head-content-type diff --git a/src/main/lrsql/system/webserver.clj b/src/main/lrsql/system/webserver.clj index 83244b389..ee0a5561b 100644 --- a/src/main/lrsql/system/webserver.clj +++ b/src/main/lrsql/system/webserver.clj @@ -44,6 +44,7 @@ jwt-no-val-issuer jwt-no-val-role-key jwt-no-val-role + jwt-no-val-logout-url enable-clamav clamav-host clamav-port] @@ -87,6 +88,7 @@ :no-val-uname jwt-no-val-uname :no-val-role-key jwt-no-val-role-key :no-val-role jwt-no-val-role + :no-val-logout-url jwt-no-val-logout-url :secret private-key :enable-admin-delete-actor enable-admin-delete-actor :enable-admin-ui enable-admin-ui