CAS + SAML authentication feature (#6425)
* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add localesth-downstream
parent
ded217f84a
commit
5322013f25
@ -0,0 +1,33 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
|
||||
skip_before_action :verify_authenticity_token
|
||||
|
||||
def self.provides_callback_for(provider)
|
||||
provider_id = provider.to_s.chomp '_oauth2'
|
||||
|
||||
define_method provider do
|
||||
@user = User.find_for_oauth(request.env['omniauth.auth'], current_user)
|
||||
|
||||
if @user.persisted?
|
||||
sign_in_and_redirect @user, event: :authentication
|
||||
set_flash_message(:notice, :success, kind: provider_id.capitalize) if is_navigational_format?
|
||||
else
|
||||
session["devise.#{provider}_data"] = request.env['omniauth.auth']
|
||||
redirect_to new_user_registration_url
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Devise.omniauth_configs.each_key do |provider|
|
||||
provides_callback_for provider
|
||||
end
|
||||
|
||||
def after_sign_in_path_for(resource)
|
||||
if resource.email_verified?
|
||||
root_path
|
||||
else
|
||||
finish_signup_path
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,81 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module Omniauthable
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
TEMP_EMAIL_PREFIX = 'change@me'
|
||||
TEMP_EMAIL_REGEX = /\Achange@me/
|
||||
|
||||
included do
|
||||
def omniauth_providers
|
||||
Devise.omniauth_configs.keys
|
||||
end
|
||||
|
||||
def email_verified?
|
||||
email && email !~ TEMP_EMAIL_REGEX
|
||||
end
|
||||
end
|
||||
|
||||
class_methods do
|
||||
def find_for_oauth(auth, signed_in_resource = nil)
|
||||
# EOLE-SSO Patch
|
||||
auth.uid = (auth.uid[0][:uid] || auth.uid[0][:user]) if auth.uid.is_a? Hashie::Array
|
||||
identity = Identity.find_for_oauth(auth)
|
||||
|
||||
# If a signed_in_resource is provided it always overrides the existing user
|
||||
# to prevent the identity being locked with accidentally created accounts.
|
||||
# Note that this may leave zombie accounts (with no associated identity) which
|
||||
# can be cleaned up at a later date.
|
||||
user = signed_in_resource ? signed_in_resource : identity.user
|
||||
user = create_for_oauth(auth) if user.nil?
|
||||
|
||||
if identity.user.nil?
|
||||
identity.user = user
|
||||
identity.save!
|
||||
end
|
||||
|
||||
user
|
||||
end
|
||||
|
||||
def create_for_oauth(auth)
|
||||
# Check if the user exists with provided email if the provider gives us a
|
||||
# verified email. If no verified email was provided or the user already
|
||||
# exists, we assign a temporary email and ask the user to verify it on
|
||||
# the next step via Auth::ConfirmationsController.finish_signup
|
||||
|
||||
user = User.new(user_params_from_auth(auth))
|
||||
user.account.avatar_remote_url = auth.info.image if auth.info.image =~ /\A#{URI.regexp(%w(http https))}\z/
|
||||
user.skip_confirmation!
|
||||
user.save!
|
||||
user
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def user_params_from_auth(auth)
|
||||
email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email)
|
||||
email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email)
|
||||
|
||||
{
|
||||
email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com",
|
||||
password: Devise.friendly_token[0, 20],
|
||||
account_attributes: {
|
||||
username: ensure_unique_username(auth.uid),
|
||||
display_name: [auth.info.first_name, auth.info.last_name].join(' '),
|
||||
},
|
||||
}
|
||||
end
|
||||
|
||||
def ensure_unique_username(starting_username)
|
||||
username = starting_username
|
||||
i = 0
|
||||
|
||||
while Account.exists?(username: username)
|
||||
i += 1
|
||||
username = "#{starting_username}_#{i}"
|
||||
end
|
||||
|
||||
username
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,22 @@
|
||||
# frozen_string_literal: true
|
||||
# == Schema Information
|
||||
#
|
||||
# Table name: identities
|
||||
#
|
||||
# id :integer not null, primary key
|
||||
# user_id :integer
|
||||
# provider :string default(""), not null
|
||||
# uid :string default(""), not null
|
||||
# created_at :datetime not null
|
||||
# updated_at :datetime not null
|
||||
#
|
||||
|
||||
class Identity < ApplicationRecord
|
||||
belongs_to :user, dependent: :destroy
|
||||
validates :uid, presence: true, uniqueness: { scope: :provider }
|
||||
validates :provider, presence: true
|
||||
|
||||
def self.find_for_oauth(auth)
|
||||
find_or_create_by(uid: auth.uid, provider: auth.provider)
|
||||
end
|
||||
end
|
@ -0,0 +1,14 @@
|
||||
- content_for :page_title do
|
||||
= t('auth.confirm_email')
|
||||
|
||||
= simple_form_for(current_user, as: 'user', url: finish_signup_path, html: { role: 'form'}) do |f|
|
||||
- if @show_errors && current_user.errors.any?
|
||||
#error_explanation
|
||||
- current_user.errors.full_messages.each do |msg|
|
||||
= msg
|
||||
%br
|
||||
|
||||
= f.input :email
|
||||
|
||||
.actions
|
||||
= f.submit t('auth.confirm_email'), class: 'button'
|
@ -0,0 +1,11 @@
|
||||
class CreateIdentities < ActiveRecord::Migration[5.0]
|
||||
def change
|
||||
create_table :identities do |t|
|
||||
t.references :user, foreign_key: { on_delete: :cascade }
|
||||
t.string :provider, null: false, default: ''
|
||||
t.string :uid, null: false, default: ''
|
||||
|
||||
t.timestamps
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,5 @@
|
||||
Fabricator(:identity) do
|
||||
user nil
|
||||
provider "MyString"
|
||||
uid "MyString"
|
||||
end
|
@ -0,0 +1,5 @@
|
||||
require 'rails_helper'
|
||||
|
||||
RSpec.describe Identity, type: :model do
|
||||
pending "add some examples to (or delete) #{__FILE__}"
|
||||
end
|
Loading…
Reference in new issue