From a324a5e9519556b7e12aef8666be83ff44347e1e Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Tue, 3 Dec 2024 15:48:30 +0100
Subject: [PATCH] #15842 - Hide login form

This doesn't implement the full solution proposed in #15842 but enables
administrators to hide the login form when users should only login with a SSO
provider. To prevent a complete lockout when the SSO provider is having
issues the GET parameter `skipsso` can be added to the login URL to show
the form regardless.
---
 docs/configuration/security.md         |  8 +++
 netbox/account/views.py                |  2 +
 netbox/netbox/configuration_example.py |  3 ++
 netbox/netbox/settings.py              |  1 +
 netbox/templates/login.html            | 73 ++++++++++++++------------
 5 files changed, 54 insertions(+), 33 deletions(-)

diff --git a/docs/configuration/security.md b/docs/configuration/security.md
index b97f31432..c689e469f 100644
--- a/docs/configuration/security.md
+++ b/docs/configuration/security.md
@@ -186,6 +186,14 @@ The lifetime (in seconds) of the authentication cookie issued to a NetBox user u
 
 ---
 
+## LOGIN_FORM_HIDDEN
+
+Default: False
+
+Option to hide the login form when only SSO authentication is in use. Appending `skipsso` as GET parameter shows the login form in case there is a problem with the SSO provider.
+
+---
+
 ## LOGOUT_REDIRECT_URL
 
 Default: `'home'`
diff --git a/netbox/account/views.py b/netbox/account/views.py
index 05f40df3f..e51dd8871 100644
--- a/netbox/account/views.py
+++ b/netbox/account/views.py
@@ -89,10 +89,12 @@ class LoginView(View):
         if request.user.is_authenticated:
             logger = logging.getLogger('netbox.auth.login')
             return self.redirect_to_next(request, logger)
+        login_form_hidden = settings.LOGIN_FORM_HIDDEN and "skipsso" not in request.GET
 
         return render(request, self.template_name, {
             'form': form,
             'auth_backends': self.get_auth_backends(request),
+            'login_form_hidden': login_form_hidden,
         })
 
     def post(self, request):
diff --git a/netbox/netbox/configuration_example.py b/netbox/netbox/configuration_example.py
index 84ead5339..a07661208 100644
--- a/netbox/netbox/configuration_example.py
+++ b/netbox/netbox/configuration_example.py
@@ -164,6 +164,9 @@ LOGIN_REQUIRED = True
 # re-authenticate. (Default: 1209600 [14 days])
 LOGIN_TIMEOUT = None
 
+# Hide the login form. Useful when only allowing SSO authentication.
+LOGIN_FORM_HIDDEN = False
+
 # The view name or URL to which users are redirected after logging out.
 LOGOUT_REDIRECT_URL = 'home'
 
diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py
index 0682e713d..3b451ec93 100644
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@@ -127,6 +127,7 @@ LOGGING = getattr(configuration, 'LOGGING', {})
 LOGIN_PERSISTENCE = getattr(configuration, 'LOGIN_PERSISTENCE', False)
 LOGIN_REQUIRED = getattr(configuration, 'LOGIN_REQUIRED', True)
 LOGIN_TIMEOUT = getattr(configuration, 'LOGIN_TIMEOUT', None)
+LOGIN_FORM_HIDDEN = getattr(configuration, 'LOGIN_FORM_HIDDEN', False)
 LOGOUT_REDIRECT_URL = getattr(configuration, 'LOGOUT_REDIRECT_URL', 'home')
 MEDIA_ROOT = getattr(configuration, 'MEDIA_ROOT', os.path.join(BASE_DIR, 'media')).rstrip('/')
 METRICS_ENABLED = getattr(configuration, 'METRICS_ENABLED', False)
diff --git a/netbox/templates/login.html b/netbox/templates/login.html
index e50303911..079d66a67 100644
--- a/netbox/templates/login.html
+++ b/netbox/templates/login.html
@@ -34,48 +34,55 @@
       {% endif %}
 
       <div class="card card-md">
-        <div class="card-body">
-          <h2 class="text-center mb-4">{% trans "Log In" %}</h2>
+        {% if not login_form_hidden %}
+          <div class="card-body">
+            <h2 class="text-center mb-4">{% trans "Log In" %}</h2>
 
-          {# Login form #}
-          <form action="{% url 'login' %}" method="post">
-            {% csrf_token %}
+            {# Login form #}
+            <form action="{% url 'login' %}" method="post">
+              {% csrf_token %}
 
-            {# Set post-login URL #}
-            {% if 'next' in request.GET %}
-              <input type="hidden" name="next" value="{{ request.GET.next }}" />
-            {% elif 'next' in request.POST %}
-              <input type="hidden" name="next" value="{{ request.POST.next }}" />
-            {% endif %}
+              {# Set post-login URL #}
+              {% if 'next' in request.GET %}
+                <input type="hidden" name="next" value="{{ request.GET.next }}" />
+              {% elif 'next' in request.POST %}
+                <input type="hidden" name="next" value="{{ request.POST.next }}" />
+              {% endif %}
 
-            <div class="form-group mb-3">
-              <label for="id_username" class="form-label">{{ form.username.label }}</label>
-              {{ form.username }}
-              {% for error in form.username.errors %}
-                <div class="alert alert-danger">{{ error }}</div>
-              {% endfor %}
-            </div>
+              <div class="form-group mb-3">
+                <label for="id_username" class="form-label">{{ form.username.label }}</label>
+                {{ form.username }}
+                {% for error in form.username.errors %}
+                  <div class="alert alert-danger">{{ error }}</div>
+                {% endfor %}
+              </div>
 
-            <div class="form-group">
-              <label for="id_password" class="form-label">{{ form.password.label }}</label>
-              {{ form.password }}
-              {% for error in form.password.errors %}
-                <div class="alert alert-danger">{{ error }}</div>
-              {% endfor %}
-            </div>
+              <div class="form-group">
+                <label for="id_password" class="form-label">{{ form.password.label }}</label>
+                {{ form.password }}
+                {% for error in form.password.errors %}
+                  <div class="alert alert-danger">{{ error }}</div>
+                {% endfor %}
+              </div>
 
-            <div class="form-footer">
-              <button type="submit" class="btn btn-primary w-100">
-                {% trans "Sign In" %}
-              </button>
-            </div>
-          </form>
-        </div>
+              <div class="form-footer">
+                <button type="submit" class="btn btn-primary w-100">
+                  {% trans "Sign In" %}
+                </button>
+              </div>
+            </form>
+          </div>
+        {% endif %}
 
         {# SSO login #}
         {% if auth_backends %}
-          <div class="hr-text">{% trans "Or" context "Denotes an alternative option" %}</div>
+          {% if not login_form_hidden %}
+            <div class="hr-text">{% trans "Or" context "Denotes an alternative option" %}</div>
+          {% endif %}
           <div class="card-body">
+            {% if login_form_hidden %}
+              <h2 class="text-center mb-4">{% trans "Log In" %}</h2>
+            {% endif %}
             <div class="row">
               {% for backend in auth_backends %}
                 <div class="col">