* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add localespull/4/head
@ -0,0 +1,33 @@ | |||||
# frozen_string_literal: true | |||||
class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController | |||||
skip_before_action :verify_authenticity_token | |||||
def self.provides_callback_for(provider) | |||||
provider_id = provider.to_s.chomp '_oauth2' | |||||
define_method provider do | |||||
@user = User.find_for_oauth(request.env['omniauth.auth'], current_user) | |||||
if @user.persisted? | |||||
sign_in_and_redirect @user, event: :authentication | |||||
set_flash_message(:notice, :success, kind: provider_id.capitalize) if is_navigational_format? | |||||
else | |||||
session["devise.#{provider}_data"] = request.env['omniauth.auth'] | |||||
redirect_to new_user_registration_url | |||||
end | |||||
end | |||||
end | |||||
Devise.omniauth_configs.each_key do |provider| | |||||
provides_callback_for provider | |||||
end | |||||
def after_sign_in_path_for(resource) | |||||
if resource.email_verified? | |||||
root_path | |||||
else | |||||
finish_signup_path | |||||
end | |||||
end | |||||
end |
@ -0,0 +1,81 @@ | |||||
# frozen_string_literal: true | |||||
module Omniauthable | |||||
extend ActiveSupport::Concern | |||||
TEMP_EMAIL_PREFIX = 'change@me' | |||||
TEMP_EMAIL_REGEX = /\Achange@me/ | |||||
included do | |||||
def omniauth_providers | |||||
Devise.omniauth_configs.keys | |||||
end | |||||
def email_verified? | |||||
email && email !~ TEMP_EMAIL_REGEX | |||||
end | |||||
end | |||||
class_methods do | |||||
def find_for_oauth(auth, signed_in_resource = nil) | |||||
# EOLE-SSO Patch | |||||
auth.uid = (auth.uid[0][:uid] || auth.uid[0][:user]) if auth.uid.is_a? Hashie::Array | |||||
identity = Identity.find_for_oauth(auth) | |||||
# If a signed_in_resource is provided it always overrides the existing user | |||||
# to prevent the identity being locked with accidentally created accounts. | |||||
# Note that this may leave zombie accounts (with no associated identity) which | |||||
# can be cleaned up at a later date. | |||||
user = signed_in_resource ? signed_in_resource : identity.user | |||||
user = create_for_oauth(auth) if user.nil? | |||||
if identity.user.nil? | |||||
identity.user = user | |||||
identity.save! | |||||
end | |||||
user | |||||
end | |||||
def create_for_oauth(auth) | |||||
# Check if the user exists with provided email if the provider gives us a | |||||
# verified email. If no verified email was provided or the user already | |||||
# exists, we assign a temporary email and ask the user to verify it on | |||||
# the next step via Auth::ConfirmationsController.finish_signup | |||||
user = User.new(user_params_from_auth(auth)) | |||||
user.account.avatar_remote_url = auth.info.image if auth.info.image =~ /\A#{URI.regexp(%w(http https))}\z/ | |||||
user.skip_confirmation! | |||||
user.save! | |||||
user | |||||
end | |||||
private | |||||
def user_params_from_auth(auth) | |||||
email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email) | |||||
email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email) | |||||
{ | |||||
email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com", | |||||
password: Devise.friendly_token[0, 20], | |||||
account_attributes: { | |||||
username: ensure_unique_username(auth.uid), | |||||
display_name: [auth.info.first_name, auth.info.last_name].join(' '), | |||||
}, | |||||
} | |||||
end | |||||
def ensure_unique_username(starting_username) | |||||
username = starting_username | |||||
i = 0 | |||||
while Account.exists?(username: username) | |||||
i += 1 | |||||
username = "#{starting_username}_#{i}" | |||||
end | |||||
username | |||||
end | |||||
end | |||||
end |
@ -0,0 +1,22 @@ | |||||
# frozen_string_literal: true | |||||
# == Schema Information | |||||
# | |||||
# Table name: identities | |||||
# | |||||
# id :integer not null, primary key | |||||
# user_id :integer | |||||
# provider :string default(""), not null | |||||
# uid :string default(""), not null | |||||
# created_at :datetime not null | |||||
# updated_at :datetime not null | |||||
# | |||||
class Identity < ApplicationRecord | |||||
belongs_to :user, dependent: :destroy | |||||
validates :uid, presence: true, uniqueness: { scope: :provider } | |||||
validates :provider, presence: true | |||||
def self.find_for_oauth(auth) | |||||
find_or_create_by(uid: auth.uid, provider: auth.provider) | |||||
end | |||||
end |
@ -0,0 +1,14 @@ | |||||
- content_for :page_title do | |||||
= t('auth.confirm_email') | |||||
= simple_form_for(current_user, as: 'user', url: finish_signup_path, html: { role: 'form'}) do |f| | |||||
- if @show_errors && current_user.errors.any? | |||||
#error_explanation | |||||
- current_user.errors.full_messages.each do |msg| | |||||
= msg | |||||
%br | |||||
= f.input :email | |||||
.actions | |||||
= f.submit t('auth.confirm_email'), class: 'button' |
@ -0,0 +1,59 @@ | |||||
Rails.application.config.middleware.use OmniAuth::Builder do | |||||
# Vanilla omniauth stategies | |||||
end | |||||
Devise.setup do |config| | |||||
# Devise omniauth strategies | |||||
# CAS strategy | |||||
if ENV['CAS_ENABLED'] == 'true' | |||||
cas_options = {} | |||||
cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL'] | |||||
cas_options[:host] = ENV['CAS_HOST'] if ENV['CAS_HOST'] | |||||
cas_options[:port] = ENV['CAS_PORT'] if ENV['CAS_PORT'] | |||||
cas_options[:ssl] = ENV['CAS_SSL'] == 'true' if ENV['CAS_SSL'] | |||||
cas_options[:validate_url] = ENV['CAS_VALIDATE_URL'] if ENV['CAS_VALIDATE_URL'] | |||||
cas_options[:callback_url] = ENV['CAS_CALLBACK_URL'] if ENV['CAS_CALLBACK_URL'] | |||||
cas_options[:logout_url] = ENV['CAS_LOGOUT_URL'] if ENV['CAS_LOGOUT_URL'] | |||||
cas_options[:login_url] = ENV['CAS_LOGIN_URL'] if ENV['CAS_LOGIN_URL'] | |||||
cas_options[:uid_field] = ENV['CAS_UID_FIELD'] || 'user' if ENV['CAS_UID_FIELD'] | |||||
cas_options[:ca_path] = ENV['CAS_CA_PATH'] if ENV['CAS_CA_PATH'] | |||||
cas_options[:disable_ssl_verification] = ENV['CAS_DISABLE_SSL_VERIFICATION'] == 'true' if ENV['CAS_DISABLE_SSL_VERIFICATION'] | |||||
cas_options[:uid_key] = ENV['CAS_UID_KEY'] || 'user' | |||||
cas_options[:name_key] = ENV['CAS_NAME_KEY'] || 'name' | |||||
cas_options[:email_key] = ENV['CAS_EMAIL_KEY'] || 'email' | |||||
cas_options[:nickname_key] = ENV['CAS_NICKNAME_KEY'] || 'nickname' | |||||
cas_options[:first_name_key] = ENV['CAS_FIRST_NAME_KEY'] || 'firstname' | |||||
cas_options[:last_name_key] = ENV['CAS_LAST_NAME_KEY'] || 'lastname' | |||||
cas_options[:location_key] = ENV['CAS_LOCATION_KEY'] || 'location' | |||||
cas_options[:image_key] = ENV['CAS_IMAGE_KEY'] || 'image' | |||||
cas_options[:phone_key] = ENV['CAS_PHONE_KEY'] || 'phone' | |||||
config.omniauth :cas, cas_options | |||||
end | |||||
# SAML strategy | |||||
if ENV['SAML_ENABLED'] == 'true' | |||||
saml_options = {} | |||||
saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL'] | |||||
saml_options[:issuer] = ENV['SAML_ISSUER'] if ENV['SAML_ISSUER'] | |||||
saml_options[:idp_sso_target_url] = ENV['SAML_IDP_SSO_TARGET_URL'] if ENV['SAML_IDP_SSO_TARGET_URL'] | |||||
saml_options[:idp_sso_target_url_runtime_params] = ENV['SAML_IDP_SSO_TARGET_PARAMS'] if ENV['SAML_IDP_SSO_TARGET_PARAMS'] # FIXME: Should be parsable Hash | |||||
saml_options[:idp_cert] = ENV['SAML_IDP_CERT'] if ENV['SAML_IDP_CERT'] | |||||
saml_options[:idp_cert_fingerprint] = ENV['SAML_IDP_CERT_FINGERPRINT'] if ENV['SAML_IDP_CERT_FINGERPRINT'] | |||||
saml_options[:idp_cert_fingerprint_validator] = ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] if ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] # FIXME: Should be Lambda { |fingerprint| } | |||||
saml_options[:name_identifier_format] = ENV['SAML_NAME_IDENTIFIER_FORMAT'] if ENV['SAML_NAME_IDENTIFIER_FORMAT'] | |||||
saml_options[:request_attributes] = {} | |||||
saml_options[:certificate] = ENV['SAML_CERT'] if ENV['SAML_CERT'] | |||||
saml_options[:private_key] = ENV['SAML_PRIVATE_KEY'] if ENV['SAML_PRIVATE_KEY'] | |||||
saml_options[:security] = {} | |||||
saml_options[:security][:want_assertions_signed] = ENV['SAML_SECURITY_WANT_ASSERTION_SIGNED'] == 'true' | |||||
saml_options[:security][:want_assertions_encrypted] = ENV['SAML_SECURITY_WANT_ASSERTION_ENCRYPTED'] == 'true' | |||||
saml_options[:attribute_statements] = {} | |||||
saml_options[:attribute_statements][:uid] = [ENV['SAML_ATTRIBUTES_STATEMENTS_UID']] if ENV['SAML_ATTRIBUTES_STATEMENTS_UID'] | |||||
saml_options[:attribute_statements][:email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL'] | |||||
saml_options[:attribute_statements][:full_name] = [ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME'] | |||||
saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE'] | |||||
config.omniauth :saml, saml_options | |||||
end | |||||
end |
@ -0,0 +1,11 @@ | |||||
class CreateIdentities < ActiveRecord::Migration[5.0] | |||||
def change | |||||
create_table :identities do |t| | |||||
t.references :user, foreign_key: { on_delete: :cascade } | |||||
t.string :provider, null: false, default: '' | |||||
t.string :uid, null: false, default: '' | |||||
t.timestamps | |||||
end | |||||
end | |||||
end |
@ -0,0 +1,5 @@ | |||||
Fabricator(:identity) do | |||||
user nil | |||||
provider "MyString" | |||||
uid "MyString" | |||||
end |
@ -0,0 +1,5 @@ | |||||
require 'rails_helper' | |||||
RSpec.describe Identity, type: :model do | |||||
pending "add some examples to (or delete) #{__FILE__}" | |||||
end |