Add per-provider user registration control (#1321)

Add granular registration flags:
- KOMODO_DISABLE_LOCAL_USER_REGISTRATION — blocks local signups,
  hides Sign Up button, while allowing OIDC registration
- KOMODO_DISABLE_OIDC_USER_REGISTRATION — blocks OIDC signups
  while allowing local registration

Both are optional and fall back to the existing
KOMODO_DISABLE_USER_REGISTRATION when not set. This enables the
common pattern of letting your OIDC provider control access while
preventing direct local account creation.

Depends on mogh-lib change adding per-provider registration methods
to the AuthImpl trait.

Closes #1087

Cargo.lock

@@ -1149,7 +1149,7 @@ dependencies = [
 
 [[package]]
 name = "command"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "komodo_client",
  "shlex",
@@ -1489,7 +1489,7 @@ checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"
 
 [[package]]
 name = "database"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "async-compression",
@@ -1759,7 +1759,7 @@ dependencies = [
 
 [[package]]
 name = "encoding"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "bytes",
@@ -1801,7 +1801,7 @@ dependencies = [
 
 [[package]]
 name = "environment"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "formatting",
@@ -1930,7 +1930,7 @@ dependencies = [
 
 [[package]]
 name = "formatting"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "mogh_error",
 ]
@@ -2109,7 +2109,7 @@ dependencies = [
 
 [[package]]
 name = "git"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "command",
@@ -2709,7 +2709,7 @@ dependencies = [
 
 [[package]]
 name = "interpolate"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "komodo_client",
@@ -2835,7 +2835,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_cli"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "bcrypt",
@@ -2865,7 +2865,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_client"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "async_timing_util",
@@ -2904,7 +2904,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_core"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "arc-swap",
@@ -2977,7 +2977,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_periphery"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "arc-swap",
@@ -4032,7 +4032,7 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
 [[package]]
 name = "periphery_client"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "encoding",
@@ -5997,7 +5997,7 @@ dependencies = [
 
 [[package]]
 name = "transport"
-version = "2.1.0"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "axum",

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 ]
 
 [workspace.package]
-version = "2.1.0"
+version = "2.1.2"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"

bin/core/src/api/write/stack.rs

@@ -555,8 +555,9 @@ impl Resolve<WriteArgs> for RefreshStackCache {
             &mut services,
           ) {
             warn!(
-              "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
-              stack.name
+              stack = stack.id,
+              stack_name = stack.name,
+              "Failed to extract stack services | {e:#}",
             );
           }
         }

bin/core/src/auth/mod.rs

@@ -205,6 +205,20 @@ impl AuthImpl for KomodoAuthImpl {
     core_config().disable_user_registration
   }
 
+  fn local_registration_disabled(&self) -> bool {
+    let config = core_config();
+    config
+      .disable_local_user_registration
+      .unwrap_or(config.disable_user_registration)
+  }
+
+  fn oidc_registration_disabled(&self) -> bool {
+    let config = core_config();
+    config
+      .disable_oidc_user_registration
+      .unwrap_or(config.disable_user_registration)
+  }
+
   fn validate_username(
     &self,
     username: &str,

bin/core/src/config.rs

@@ -345,6 +345,12 @@ pub fn core_config() -> &'static CoreConfig {
       disable_user_registration: env
         .komodo_disable_user_registration
         .unwrap_or(config.disable_user_registration),
+      disable_local_user_registration: env
+        .komodo_disable_local_user_registration
+        .or(config.disable_local_user_registration),
+      disable_oidc_user_registration: env
+        .komodo_disable_oidc_user_registration
+        .or(config.disable_oidc_user_registration),
       disable_non_admin_create: env
         .komodo_disable_non_admin_create
         .unwrap_or(config.disable_non_admin_create),

bin/core/src/monitor/resources.rs

@@ -46,8 +46,10 @@ pub async fn update_swarm_stack_cache(
         Some(SwarmState::Unknown) | None => StackState::Unknown,
       })
       .unwrap_or(StackState::Down);
+
     let services = extract_services_from_stack(&stack);
     let service_prefix = format!("{project_name}_");
+
     let mut services_with_swarm_services = services
       .iter()
       .map(
@@ -74,27 +76,50 @@ pub async fn update_swarm_stack_cache(
                 .unwrap_or_default()
             })
             .cloned();
+
+          let (image, image_digests) = swarm_service
+            .as_ref()
+            .and_then(|swarm_service| swarm_service.image.as_ref())
+            .map(|image| {
+              (
+                image.clone(),
+                ImageDigest::parse(image).map(|d| vec![d]),
+              )
+            })
+            .unwrap_or((
+              if image.contains(':') {
+                image.to_string()
+              } else {
+                format!("{image}:latest")
+              },
+              None,
+            ));
+
           StackService {
             service: service_name.clone(),
-            image: image.clone(),
             container: None,
             swarm_service,
-            image_digests: Default::default(),
+            image,
+            image_digests,
           }
         },
       )
       .collect::<Vec<_>>();
+
     services_with_swarm_services
       .sort_by(|a, b| a.service.cmp(&b.service));
+
     let prev_state = stack_status_cache
       .get(&stack.id)
       .await
       .map(|s| s.curr.state);
+
     let status = CachedStackStatus {
       id: stack.id.clone(),
       state: current_state,
       services: services_with_swarm_services,
     };
+
     stack_status_cache
       .insert(
         stack.id,
@@ -207,10 +232,17 @@ pub async fn update_swarm_deployment_cache(
           .unwrap_or_default()
       })
       .cloned();
+
+    let image_digests = service
+      .as_ref()
+      .and_then(|service| service.image.as_ref())
+      .and_then(|image| ImageDigest::parse(image).map(|d| vec![d]));
+
     let prev_state = deployment_status_cache
       .get(&deployment.id)
       .await
       .map(|s| s.curr.state);
+
     let current_state = service
       .as_ref()
       .map(|service| match service.state {
@@ -220,6 +252,7 @@ pub async fn update_swarm_deployment_cache(
         SwarmState::Unknown => DeploymentState::Unknown,
       })
       .unwrap_or(DeploymentState::NotDeployed);
+
     deployment_status_cache
       .insert(
         deployment.id.clone(),
@@ -227,9 +260,9 @@ pub async fn update_swarm_deployment_cache(
           curr: CachedDeploymentStatus {
             id: deployment.id,
             state: current_state,
-            service,
             container: None,
-            image_digests: None,
+            service,
+            image_digests,
           },
           prev: prev_state,
         }
@@ -251,6 +284,7 @@ pub async fn update_server_deployment_cache(
       .iter()
       .find(|container| container.name == deployment.name)
       .cloned();
+
     let image_digests = container
       .as_ref()
       .and_then(|container| container.image_id.as_ref())
@@ -263,10 +297,12 @@ pub async fn update_server_deployment_cache(
           }
         })
       });
+
     let prev_state = deployment_status_cache
       .get(&deployment.id)
       .await
       .map(|s| s.curr.state);
+
     let current_state = container
       .as_ref()
       .map(|c| c.state.into())

bin/core/src/stack/services.rs

@@ -38,8 +38,6 @@ pub fn extract_services_into_res(
         "failed to parse service names from compose contents",
       )?;
 
-  let mut services = Vec::with_capacity(compose.services.capacity());
-
   for (
     service_name,
     ComposeService {
@@ -49,17 +47,29 @@ pub fn extract_services_into_res(
     },
   ) in compose.services
   {
-    let image = image.unwrap_or_default();
-    services.push(StackServiceNames {
-      container_name: container_name
-        .unwrap_or_else(|| format!("{project_name}-{service_name}")),
-      image_digest: service_image_digests.get(&service_name).cloned(),
-      service_name,
-      image,
-    });
+    if let Some(existing) =
+      res.iter_mut().find(|s| s.service_name == service_name)
+    {
+      // Override any defined fields
+      if let Some(container_name) = container_name {
+        existing.container_name = container_name;
+      }
+      if let Some(image) = image {
+        existing.image = image;
+      }
+    } else {
+      res.push(StackServiceNames {
+        container_name: container_name.unwrap_or_else(|| {
+          format!("{project_name}-{service_name}")
+        }),
+        image_digest: service_image_digests
+          .get(&service_name)
+          .cloned(),
+        image: image.unwrap_or_default(),
+        service_name,
+      });
+    }
   }
 
-  res.extend(services);
-
   Ok(())
 }

client/core/rs/src/entities/config/core.rs

@@ -124,6 +124,10 @@ pub struct Env {
   pub komodo_enable_new_users: Option<bool>,
   /// Override `disable_user_registration`
   pub komodo_disable_user_registration: Option<bool>,
+  /// Override `disable_local_user_registration`
+  pub komodo_disable_local_user_registration: Option<bool>,
+  /// Override `disable_oidc_user_registration`
+  pub komodo_disable_oidc_user_registration: Option<bool>,
   /// Override `lock_login_credentials_for`
   pub komodo_lock_login_credentials_for: Option<Vec<String>>,
   /// Override `disable_confirm_dialog`
@@ -457,6 +461,20 @@ pub struct CoreConfig {
   #[serde(default)]
   pub disable_user_registration: bool,
 
+  /// Disable local (username/password) user registration only.
+  /// When set, the "Sign Up" button is hidden and local signups are blocked,
+  /// but OIDC and other external provider signups are still allowed.
+  /// If not set, falls back to `disable_user_registration`.
+  #[serde(default)]
+  pub disable_local_user_registration: Option<bool>,
+
+  /// Disable OIDC user registration only.
+  /// When set, new users cannot register via OIDC,
+  /// but local and other provider signups are still allowed.
+  /// If not set, falls back to `disable_user_registration`.
+  #[serde(default)]
+  pub disable_oidc_user_registration: Option<bool>,
+
   /// List of usernames for which the update username / password
   /// APIs are disabled. Used by demo to lock the 'demo' : 'demo' login.
   ///
@@ -826,6 +844,8 @@ impl Default for CoreConfig {
       transparent_mode: Default::default(),
       enable_new_users: Default::default(),
       disable_user_registration: Default::default(),
+      disable_local_user_registration: Default::default(),
+      disable_oidc_user_registration: Default::default(),
       lock_login_credentials_for: Default::default(),
       disable_non_admin_create: Default::default(),
       jwt_secret: Default::default(),
@@ -909,6 +929,10 @@ impl CoreConfig {
       enable_fancy_toml: config.enable_fancy_toml,
       enable_new_users: config.enable_new_users,
       disable_user_registration: config.disable_user_registration,
+      disable_local_user_registration: config
+        .disable_local_user_registration,
+      disable_oidc_user_registration: config
+        .disable_oidc_user_registration,
       disable_non_admin_create: config.disable_non_admin_create,
       lock_login_credentials_for: config.lock_login_credentials_for,
       local_auth: config.local_auth,

client/core/ts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "komodo_client",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "Komodo client package",
   "homepage": "https://komo.do",
   "main": "dist/lib.js",

config/core.config.toml

@@ -167,6 +167,20 @@ init_admin_password = "changeme"
 ## Default: false
 disable_user_registration = false
 
+## Disable local (username/password) user registration only.
+## When set to true, the "Sign Up" button is hidden and local signups are blocked,
+## but OIDC and other external provider signups are still allowed.
+## If not set, falls back to `disable_user_registration`.
+## Env: KOMODO_DISABLE_LOCAL_USER_REGISTRATION
+# disable_local_user_registration = true
+
+## Disable OIDC user registration only.
+## When set to true, new users cannot register via OIDC,
+## but local and other provider signups are still allowed.
+## If not set, falls back to `disable_user_registration`.
+## Env: KOMODO_DISABLE_OIDC_USER_REGISTRATION
+# disable_oidc_user_registration = true
+
 ## New users will be automatically enabled when they sign up.
 ## Otherwise, new users will be disabled on first login.
 ## The first user to login will always be enabled on creation.