* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add localespull/4/head
@ -0,0 +1,33 @@ | |||
# frozen_string_literal: true | |||
class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController | |||
skip_before_action :verify_authenticity_token | |||
def self.provides_callback_for(provider) | |||
provider_id = provider.to_s.chomp '_oauth2' | |||
define_method provider do | |||
@user = User.find_for_oauth(request.env['omniauth.auth'], current_user) | |||
if @user.persisted? | |||
sign_in_and_redirect @user, event: :authentication | |||
set_flash_message(:notice, :success, kind: provider_id.capitalize) if is_navigational_format? | |||
else | |||
session["devise.#{provider}_data"] = request.env['omniauth.auth'] | |||
redirect_to new_user_registration_url | |||
end | |||
end | |||
end | |||
Devise.omniauth_configs.each_key do |provider| | |||
provides_callback_for provider | |||
end | |||
def after_sign_in_path_for(resource) | |||
if resource.email_verified? | |||
root_path | |||
else | |||
finish_signup_path | |||
end | |||
end | |||
end |
@ -0,0 +1,81 @@ | |||
# frozen_string_literal: true | |||
module Omniauthable | |||
extend ActiveSupport::Concern | |||
TEMP_EMAIL_PREFIX = 'change@me' | |||
TEMP_EMAIL_REGEX = /\Achange@me/ | |||
included do | |||
def omniauth_providers | |||
Devise.omniauth_configs.keys | |||
end | |||
def email_verified? | |||
email && email !~ TEMP_EMAIL_REGEX | |||
end | |||
end | |||
class_methods do | |||
def find_for_oauth(auth, signed_in_resource = nil) | |||
# EOLE-SSO Patch | |||
auth.uid = (auth.uid[0][:uid] || auth.uid[0][:user]) if auth.uid.is_a? Hashie::Array | |||
identity = Identity.find_for_oauth(auth) | |||
# If a signed_in_resource is provided it always overrides the existing user | |||
# to prevent the identity being locked with accidentally created accounts. | |||
# Note that this may leave zombie accounts (with no associated identity) which | |||
# can be cleaned up at a later date. | |||
user = signed_in_resource ? signed_in_resource : identity.user | |||
user = create_for_oauth(auth) if user.nil? | |||
if identity.user.nil? | |||
identity.user = user | |||
identity.save! | |||
end | |||
user | |||
end | |||
def create_for_oauth(auth) | |||
# Check if the user exists with provided email if the provider gives us a | |||
# verified email. If no verified email was provided or the user already | |||
# exists, we assign a temporary email and ask the user to verify it on | |||
# the next step via Auth::ConfirmationsController.finish_signup | |||
user = User.new(user_params_from_auth(auth)) | |||
user.account.avatar_remote_url = auth.info.image if auth.info.image =~ /\A#{URI.regexp(%w(http https))}\z/ | |||
user.skip_confirmation! | |||
user.save! | |||
user | |||
end | |||
private | |||
def user_params_from_auth(auth) | |||
email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email) | |||
email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email) | |||
{ | |||
email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com", | |||
password: Devise.friendly_token[0, 20], | |||
account_attributes: { | |||
username: ensure_unique_username(auth.uid), | |||
display_name: [auth.info.first_name, auth.info.last_name].join(' '), | |||
}, | |||
} | |||
end | |||
def ensure_unique_username(starting_username) | |||
username = starting_username | |||
i = 0 | |||
while Account.exists?(username: username) | |||
i += 1 | |||
username = "#{starting_username}_#{i}" | |||
end | |||
username | |||
end | |||
end | |||
end |
@ -0,0 +1,22 @@ | |||
# frozen_string_literal: true | |||
# == Schema Information | |||
# | |||
# Table name: identities | |||
# | |||
# id :integer not null, primary key | |||
# user_id :integer | |||
# provider :string default(""), not null | |||
# uid :string default(""), not null | |||
# created_at :datetime not null | |||
# updated_at :datetime not null | |||
# | |||
class Identity < ApplicationRecord | |||
belongs_to :user, dependent: :destroy | |||
validates :uid, presence: true, uniqueness: { scope: :provider } | |||
validates :provider, presence: true | |||
def self.find_for_oauth(auth) | |||
find_or_create_by(uid: auth.uid, provider: auth.provider) | |||
end | |||
end |
@ -0,0 +1,14 @@ | |||
- content_for :page_title do | |||
= t('auth.confirm_email') | |||
= simple_form_for(current_user, as: 'user', url: finish_signup_path, html: { role: 'form'}) do |f| | |||
- if @show_errors && current_user.errors.any? | |||
#error_explanation | |||
- current_user.errors.full_messages.each do |msg| | |||
= msg | |||
%br | |||
= f.input :email | |||
.actions | |||
= f.submit t('auth.confirm_email'), class: 'button' |
@ -0,0 +1,59 @@ | |||
Rails.application.config.middleware.use OmniAuth::Builder do | |||
# Vanilla omniauth stategies | |||
end | |||
Devise.setup do |config| | |||
# Devise omniauth strategies | |||
# CAS strategy | |||
if ENV['CAS_ENABLED'] == 'true' | |||
cas_options = {} | |||
cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL'] | |||
cas_options[:host] = ENV['CAS_HOST'] if ENV['CAS_HOST'] | |||
cas_options[:port] = ENV['CAS_PORT'] if ENV['CAS_PORT'] | |||
cas_options[:ssl] = ENV['CAS_SSL'] == 'true' if ENV['CAS_SSL'] | |||
cas_options[:validate_url] = ENV['CAS_VALIDATE_URL'] if ENV['CAS_VALIDATE_URL'] | |||
cas_options[:callback_url] = ENV['CAS_CALLBACK_URL'] if ENV['CAS_CALLBACK_URL'] | |||
cas_options[:logout_url] = ENV['CAS_LOGOUT_URL'] if ENV['CAS_LOGOUT_URL'] | |||
cas_options[:login_url] = ENV['CAS_LOGIN_URL'] if ENV['CAS_LOGIN_URL'] | |||
cas_options[:uid_field] = ENV['CAS_UID_FIELD'] || 'user' if ENV['CAS_UID_FIELD'] | |||
cas_options[:ca_path] = ENV['CAS_CA_PATH'] if ENV['CAS_CA_PATH'] | |||
cas_options[:disable_ssl_verification] = ENV['CAS_DISABLE_SSL_VERIFICATION'] == 'true' if ENV['CAS_DISABLE_SSL_VERIFICATION'] | |||
cas_options[:uid_key] = ENV['CAS_UID_KEY'] || 'user' | |||
cas_options[:name_key] = ENV['CAS_NAME_KEY'] || 'name' | |||
cas_options[:email_key] = ENV['CAS_EMAIL_KEY'] || 'email' | |||
cas_options[:nickname_key] = ENV['CAS_NICKNAME_KEY'] || 'nickname' | |||
cas_options[:first_name_key] = ENV['CAS_FIRST_NAME_KEY'] || 'firstname' | |||
cas_options[:last_name_key] = ENV['CAS_LAST_NAME_KEY'] || 'lastname' | |||
cas_options[:location_key] = ENV['CAS_LOCATION_KEY'] || 'location' | |||
cas_options[:image_key] = ENV['CAS_IMAGE_KEY'] || 'image' | |||
cas_options[:phone_key] = ENV['CAS_PHONE_KEY'] || 'phone' | |||
config.omniauth :cas, cas_options | |||
end | |||
# SAML strategy | |||
if ENV['SAML_ENABLED'] == 'true' | |||
saml_options = {} | |||
saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL'] | |||
saml_options[:issuer] = ENV['SAML_ISSUER'] if ENV['SAML_ISSUER'] | |||
saml_options[:idp_sso_target_url] = ENV['SAML_IDP_SSO_TARGET_URL'] if ENV['SAML_IDP_SSO_TARGET_URL'] | |||
saml_options[:idp_sso_target_url_runtime_params] = ENV['SAML_IDP_SSO_TARGET_PARAMS'] if ENV['SAML_IDP_SSO_TARGET_PARAMS'] # FIXME: Should be parsable Hash | |||
saml_options[:idp_cert] = ENV['SAML_IDP_CERT'] if ENV['SAML_IDP_CERT'] | |||
saml_options[:idp_cert_fingerprint] = ENV['SAML_IDP_CERT_FINGERPRINT'] if ENV['SAML_IDP_CERT_FINGERPRINT'] | |||
saml_options[:idp_cert_fingerprint_validator] = ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] if ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] # FIXME: Should be Lambda { |fingerprint| } | |||
saml_options[:name_identifier_format] = ENV['SAML_NAME_IDENTIFIER_FORMAT'] if ENV['SAML_NAME_IDENTIFIER_FORMAT'] | |||
saml_options[:request_attributes] = {} | |||
saml_options[:certificate] = ENV['SAML_CERT'] if ENV['SAML_CERT'] | |||
saml_options[:private_key] = ENV['SAML_PRIVATE_KEY'] if ENV['SAML_PRIVATE_KEY'] | |||
saml_options[:security] = {} | |||
saml_options[:security][:want_assertions_signed] = ENV['SAML_SECURITY_WANT_ASSERTION_SIGNED'] == 'true' | |||
saml_options[:security][:want_assertions_encrypted] = ENV['SAML_SECURITY_WANT_ASSERTION_ENCRYPTED'] == 'true' | |||
saml_options[:attribute_statements] = {} | |||
saml_options[:attribute_statements][:uid] = [ENV['SAML_ATTRIBUTES_STATEMENTS_UID']] if ENV['SAML_ATTRIBUTES_STATEMENTS_UID'] | |||
saml_options[:attribute_statements][:email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL'] | |||
saml_options[:attribute_statements][:full_name] = [ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME'] | |||
saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE'] | |||
config.omniauth :saml, saml_options | |||
end | |||
end |
@ -0,0 +1,11 @@ | |||
class CreateIdentities < ActiveRecord::Migration[5.0] | |||
def change | |||
create_table :identities do |t| | |||
t.references :user, foreign_key: { on_delete: :cascade } | |||
t.string :provider, null: false, default: '' | |||
t.string :uid, null: false, default: '' | |||
t.timestamps | |||
end | |||
end | |||
end |
@ -0,0 +1,5 @@ | |||
Fabricator(:identity) do | |||
user nil | |||
provider "MyString" | |||
uid "MyString" | |||
end |
@ -0,0 +1,5 @@ | |||
require 'rails_helper' | |||
RSpec.describe Identity, type: :model do | |||
pending "add some examples to (or delete) #{__FILE__}" | |||
end |