lib/saml_authenticator.rb

@@ -40,11 +40,11 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
     statements
       .split("|")
       .map do |statement|
-        attrs = statement.split(":", 2)
-        next if attrs.count != 2
-        (result[attrs[0]] ||= []) << attrs[1].split(",")
-        result[attrs[0]].flatten!
-      end
+      attrs = statement.split(":", 2)
+      next if attrs.count != 2
+      (result[attrs[0]] ||= []) << attrs[1].split(",")
+      result[attrs[0]].flatten!
+    end
 
     result
   end
@@ -78,7 +78,7 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
         want_assertions_signed: !!setting(:want_assertions_signed),
         logout_requests_signed: !!setting(:logout_requests_signed),
         logout_responses_signed: !!setting(:logout_responses_signed),
-        signature_method: XMLSecurity::Document::RSA_SHA1,
+        signature_method: XMLSecurity::Document::RSA_SHA256,
       },
       idp_slo_session_destroy:
         proc do |env, session|
@@ -91,9 +91,28 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
     )
   end
 
+  # Only match by the NameID
+  def match_by_email
+    false
+  end
+
+  def match_by_username
+    false
+  end
+
+  def is_anonymous?(email)
+    email.start_with?("anonymous+") && email.end_with?("@rev.ng")
+  end
+
   def primary_email_verified?(auth_token)
     attributes = OneLogin::RubySaml::Attributes.new(auth_token.extra&.[](:raw_info) || {})
 
+    email = attributes.single("email")
+    return false if is_anonymous?(email)
+
+    email_verified = attributes.single("emailVerified")
+    return email_verified == "true" if attributes.include?("emailVerified")
+
     group_attribute = setting(:groups_attribute)
     if setting(:validate_email_fields).present? && attributes.multi(group_attribute).present?
       validate_email_fields = setting(:validate_email_fields).split("|").map(&:downcase)
@@ -110,12 +129,16 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
     extra_data = auth.extra || {}
     attributes = extra_data[:raw_info] || OneLogin::RubySaml::Attributes.new
 
+    log("after_authenticate: auth: #{auth.inspect}")
+    log("after_authenticate: attributes: #{attributes.inspect}")
+    log("after_authenticate: extra_data: #{extra_data.inspect}")
+    log("after_authenticate: uid: #{attributes.single("uid")}, #{auth[:uid]}")
+
     auth[:uid] = attributes.single("uid") || auth[:uid] if setting(:use_attributes_uid)
     uid = auth[:uid]
 
-    auth.info[:email] ||= uid if uid.to_s&.include?("@")
-
-    auth.info[:nickname] = uid.to_s if uid && setting(:use_attributes_uid)
+    auth.info[:username] = attributes.single("username")
+    auth.info[:nickname] = attributes.single("username")
 
     auth.extra = { "raw_info" => attributes.attributes }
     result = super
@@ -133,22 +156,31 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
 
     result.skip_email_validation = true if setting(:skip_email_validation)
 
-    if result.user.blank?
-      result.username = "" if setting(:clear_username)
-      result.user = auto_create_account(result, uid) if setting(:auto_create_account) &&
-        result.email_valid
+    email = attributes.single("email")
+
+    if not is_anonymous?(email)
+      if result.user.blank?
+        result.username = "" if setting(:clear_username)
+        result.user = auto_create_account(result, uid) if setting(:auto_create_account) &&
+          result.email_valid
+      else
+        user = result.user
+        sync_groups(user, attributes, info)
+        sync_custom_fields(user, attributes, info)
+        sync_moderator(user, attributes)
+        sync_admin(user, attributes)
+        sync_trust_level(user, attributes)
+        sync_locale(user, attributes)
+      end
     else
-      user = result.user
-      sync_groups(user, attributes, info)
-      sync_custom_fields(user, attributes, info)
-      sync_moderator(user, attributes)
-      sync_admin(user, attributes)
-      sync_trust_level(user, attributes)
-      sync_locale(user, attributes)
+      result.failed = true
+      result.failed_reason = "Anonymous users cannot access Discourse. " +
+        "Convert your account to a regular account to continue."
     end
 
     result.overrides_username = setting(:omit_username)
     result.overrides_email = setting(:sync_email)
+    result.overrides_name = true
 
     result
   end
@@ -267,19 +299,19 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
     statements
       .split("|")
       .each do |statement|
-        key, field_id = statement.split(":")
-        next if key.blank? || field_id.blank?
+      key, field_id = statement.split(":")
+      next if key.blank? || field_id.blank?
 
-        val = info[key] || attributes.multi(key)&.join(",")
-        user.custom_fields["user_field_#{field_id}"] = val if val.present?
-      end
+      val = info[key] || attributes.multi(key)&.join(",")
+      user.custom_fields["user_field_#{field_id}"] = val if val.present?
+    end
   end
 
   def sync_moderator(user, attributes)
     return unless setting(:sync_moderator)
 
-    is_moderator_attribute = setting(:moderator_attribute) || "isModerator"
-    is_moderator = %w[1 true].include?(attributes.single(is_moderator_attribute).to_s.downcase)
+    roles = attributes.multi("roles") || []
+    is_moderator = roles.include?("discourse-moderator") or roles.include?("discourse-admin")
 
     return if user.moderator == is_moderator
 
@@ -290,8 +322,8 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
   def sync_admin(user, attributes)
     return unless setting(:sync_admin)
 
-    is_admin_attribute = setting(:admin_attribute) || "isAdmin"
-    is_admin = %w[1 true].include?(attributes.single(is_admin_attribute).to_s.downcase)
+    roles = attributes.multi("roles") || []
+    is_admin = roles.include?("discourse-admin")
 
     return if user.admin == is_admin
 
@@ -369,10 +401,6 @@ class SamlAuthenticator < ::Auth::ManagedAuthenticator
   end
 
   def resolve_username(username, name, email, uid)
-    suggester_input = [username, name]
-    suggester_input << email if SiteSetting.use_email_for_username_and_name_suggestions
-    suggester_input << uid
-
-    UserNameSuggester.suggest(*suggester_input)
+    username
   end
 end