CAS + SAML authentication feature (#6425)
* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add localesmain
parent
9da81a1639
commit
26f21fd5a0
@ -0,0 +1,33 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
|
||||||
|
skip_before_action :verify_authenticity_token
|
||||||
|
|
||||||
|
def self.provides_callback_for(provider)
|
||||||
|
provider_id = provider.to_s.chomp '_oauth2'
|
||||||
|
|
||||||
|
define_method provider do
|
||||||
|
@user = User.find_for_oauth(request.env['omniauth.auth'], current_user)
|
||||||
|
|
||||||
|
if @user.persisted?
|
||||||
|
sign_in_and_redirect @user, event: :authentication
|
||||||
|
set_flash_message(:notice, :success, kind: provider_id.capitalize) if is_navigational_format?
|
||||||
|
else
|
||||||
|
session["devise.#{provider}_data"] = request.env['omniauth.auth']
|
||||||
|
redirect_to new_user_registration_url
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
Devise.omniauth_configs.each_key do |provider|
|
||||||
|
provides_callback_for provider
|
||||||
|
end
|
||||||
|
|
||||||
|
def after_sign_in_path_for(resource)
|
||||||
|
if resource.email_verified?
|
||||||
|
root_path
|
||||||
|
else
|
||||||
|
finish_signup_path
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -0,0 +1,81 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Omniauthable
|
||||||
|
extend ActiveSupport::Concern
|
||||||
|
|
||||||
|
TEMP_EMAIL_PREFIX = 'change@me'
|
||||||
|
TEMP_EMAIL_REGEX = /\Achange@me/
|
||||||
|
|
||||||
|
included do
|
||||||
|
def omniauth_providers
|
||||||
|
Devise.omniauth_configs.keys
|
||||||
|
end
|
||||||
|
|
||||||
|
def email_verified?
|
||||||
|
email && email !~ TEMP_EMAIL_REGEX
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
class_methods do
|
||||||
|
def find_for_oauth(auth, signed_in_resource = nil)
|
||||||
|
# EOLE-SSO Patch
|
||||||
|
auth.uid = (auth.uid[0][:uid] || auth.uid[0][:user]) if auth.uid.is_a? Hashie::Array
|
||||||
|
identity = Identity.find_for_oauth(auth)
|
||||||
|
|
||||||
|
# If a signed_in_resource is provided it always overrides the existing user
|
||||||
|
# to prevent the identity being locked with accidentally created accounts.
|
||||||
|
# Note that this may leave zombie accounts (with no associated identity) which
|
||||||
|
# can be cleaned up at a later date.
|
||||||
|
user = signed_in_resource ? signed_in_resource : identity.user
|
||||||
|
user = create_for_oauth(auth) if user.nil?
|
||||||
|
|
||||||
|
if identity.user.nil?
|
||||||
|
identity.user = user
|
||||||
|
identity.save!
|
||||||
|
end
|
||||||
|
|
||||||
|
user
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_for_oauth(auth)
|
||||||
|
# Check if the user exists with provided email if the provider gives us a
|
||||||
|
# verified email. If no verified email was provided or the user already
|
||||||
|
# exists, we assign a temporary email and ask the user to verify it on
|
||||||
|
# the next step via Auth::ConfirmationsController.finish_signup
|
||||||
|
|
||||||
|
user = User.new(user_params_from_auth(auth))
|
||||||
|
user.account.avatar_remote_url = auth.info.image if auth.info.image =~ /\A#{URI.regexp(%w(http https))}\z/
|
||||||
|
user.skip_confirmation!
|
||||||
|
user.save!
|
||||||
|
user
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def user_params_from_auth(auth)
|
||||||
|
email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email)
|
||||||
|
email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email)
|
||||||
|
|
||||||
|
{
|
||||||
|
email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com",
|
||||||
|
password: Devise.friendly_token[0, 20],
|
||||||
|
account_attributes: {
|
||||||
|
username: ensure_unique_username(auth.uid),
|
||||||
|
display_name: [auth.info.first_name, auth.info.last_name].join(' '),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
def ensure_unique_username(starting_username)
|
||||||
|
username = starting_username
|
||||||
|
i = 0
|
||||||
|
|
||||||
|
while Account.exists?(username: username)
|
||||||
|
i += 1
|
||||||
|
username = "#{starting_username}_#{i}"
|
||||||
|
end
|
||||||
|
|
||||||
|
username
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -0,0 +1,22 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
# == Schema Information
|
||||||
|
#
|
||||||
|
# Table name: identities
|
||||||
|
#
|
||||||
|
# id :integer not null, primary key
|
||||||
|
# user_id :integer
|
||||||
|
# provider :string default(""), not null
|
||||||
|
# uid :string default(""), not null
|
||||||
|
# created_at :datetime not null
|
||||||
|
# updated_at :datetime not null
|
||||||
|
#
|
||||||
|
|
||||||
|
class Identity < ApplicationRecord
|
||||||
|
belongs_to :user, dependent: :destroy
|
||||||
|
validates :uid, presence: true, uniqueness: { scope: :provider }
|
||||||
|
validates :provider, presence: true
|
||||||
|
|
||||||
|
def self.find_for_oauth(auth)
|
||||||
|
find_or_create_by(uid: auth.uid, provider: auth.provider)
|
||||||
|
end
|
||||||
|
end
|
@ -0,0 +1,14 @@
|
|||||||
|
- content_for :page_title do
|
||||||
|
= t('auth.confirm_email')
|
||||||
|
|
||||||
|
= simple_form_for(current_user, as: 'user', url: finish_signup_path, html: { role: 'form'}) do |f|
|
||||||
|
- if @show_errors && current_user.errors.any?
|
||||||
|
#error_explanation
|
||||||
|
- current_user.errors.full_messages.each do |msg|
|
||||||
|
= msg
|
||||||
|
%br
|
||||||
|
|
||||||
|
= f.input :email
|
||||||
|
|
||||||
|
.actions
|
||||||
|
= f.submit t('auth.confirm_email'), class: 'button'
|
@ -0,0 +1,11 @@
|
|||||||
|
class CreateIdentities < ActiveRecord::Migration[5.0]
|
||||||
|
def change
|
||||||
|
create_table :identities do |t|
|
||||||
|
t.references :user, foreign_key: { on_delete: :cascade }
|
||||||
|
t.string :provider, null: false, default: ''
|
||||||
|
t.string :uid, null: false, default: ''
|
||||||
|
|
||||||
|
t.timestamps
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -0,0 +1,5 @@
|
|||||||
|
Fabricator(:identity) do
|
||||||
|
user nil
|
||||||
|
provider "MyString"
|
||||||
|
uid "MyString"
|
||||||
|
end
|
@ -0,0 +1,5 @@
|
|||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe Identity, type: :model do
|
||||||
|
pending "add some examples to (or delete) #{__FILE__}"
|
||||||
|
end
|
Loading…
Reference in new issue