saml_authenticator.rb

# frozen_string_literal: true

class SamlAuthenticator < ::Auth::ManagedAuthenticator
  def name
    "saml"
  end

  def attribute_name_format(type = "basic")
    "urn:oasis:names:tc:SAML:2.0:attrname-format:#{type}"
  end

  def setting(key)
    # In almost all circumstances, `name` is `saml`.
    # However, some other plugins choose to re-use this Authenticator class
    # with a different `name`. This helper lets them have their own settings,
    # which automatically fall back to the `saml_` defaults.
    ::DiscourseSaml.setting(key, prefer_prefix: "#{name}_")
  end

  def request_attributes
    attrs = "email|name|first_name|last_name"
    custom_attrs = setting(:request_attributes)

    attrs = "#{attrs}|#{custom_attrs}" if custom_attrs.present?

    attrs
      .split("|")
      .uniq
      .map { |name| { name: name, name_format: attribute_name_format, friendly_name: name } }
  end

  def attribute_statements
    result = {}
    statements =
      "name:fullName,name|email:email,mail|first_name:first_name,firstname,firstName|last_name:last_name,lastname,lastName|nickname:screenName"
    custom_statements = setting(:attribute_statements)

    statements = "#{statements}|#{custom_statements}" if custom_statements.present?

    statements
      .split("|")
      .map do |statement|
      attrs = statement.split(":", 2)
      next if attrs.count != 2
      (result[attrs[0]] ||= []) << attrs[1].split(",")
      result[attrs[0]].flatten!
    end

    result
  end

  def register_middleware(omniauth)
    omniauth.provider ::DiscourseSaml::SamlOmniauthStrategy,
                      name: name,
                      setup: lambda { |env| setup_strategy(env["omniauth.strategy"]) }
  end

  def setup_strategy(strategy)
    strategy.options.deep_merge!(
      issuer: SamlAuthenticator.saml_base_url,
      idp_sso_target_url: setting(:target_url),
      idp_slo_target_url: setting(:slo_target_url).presence,
      slo_default_relay_state: SamlAuthenticator.saml_base_url,
      idp_cert_fingerprint: setting(:cert_fingerprint).presence,
      idp_cert_fingerprint_algorithm: setting(:cert_fingerprint_algorithm),
      idp_cert: setting(:cert).presence,
      idp_cert_multi: idp_cert_multi,
      request_attributes: request_attributes,
      attribute_statements: attribute_statements,
      assertion_consumer_service_url: SamlAuthenticator.saml_base_url + "/auth/#{name}/callback",
      single_logout_service_url: SamlAuthenticator.saml_base_url + "/auth/#{name}/slo",
      name_identifier_format: setting(:name_identifier_format).presence,
      request_method: (setting(:request_method)&.downcase == "post") ? "POST" : "GET",
      certificate: setting(:sp_certificate).presence,
      private_key: setting(:sp_private_key).presence,
      security: {
        authn_requests_signed: !!setting(:authn_requests_signed),
        want_assertions_signed: !!setting(:want_assertions_signed),
        logout_requests_signed: !!setting(:logout_requests_signed),
        logout_responses_signed: !!setting(:logout_responses_signed),
        signature_method: XMLSecurity::Document::RSA_SHA1,
      },
      idp_slo_session_destroy:
        proc do |env, session|
          user = CurrentUser.lookup_from_env(env)
          if user
            user.user_auth_tokens.destroy_all
            user.logged_out
          end
        end,
    )
  end

  def primary_email_verified?(auth_token)
    attributes = OneLogin::RubySaml::Attributes.new(auth_token.extra&.[](:raw_info) || {})

    group_attribute = setting(:groups_attribute)
    if setting(:validate_email_fields).present? && attributes.multi(group_attribute).present?
      validate_email_fields = setting(:validate_email_fields).split("|").map(&:downcase)
      member_of = attributes.multi(group_attribute).map { |g| g.downcase.split(",") }.flatten
      (validate_email_fields & member_of).present? ? true : false
    else
      setting(:default_emails_valid)
    end
  end

  def after_authenticate(auth)
    info = auth.info

    extra_data = auth.extra || {}
    attributes = extra_data[:raw_info] || OneLogin::RubySaml::Attributes.new

    auth[:uid] = attributes.single("uid") || auth[:uid] if setting(:use_attributes_uid)
    uid = auth[:uid]

    auth.info[:email] ||= uid if uid.to_s&.include?("@")

    auth.info[:nickname] = uid.to_s if uid && setting(:use_attributes_uid)

    auth.extra = { "raw_info" => attributes.attributes }
    result = super

    if setting(:log_auth)
      ::PluginStore.set("saml", "#{name}_last_auth", auth.inspect)
      ::PluginStore.set("saml", "#{name}_last_auth_raw_info", attributes.inspect)
      ::PluginStore.set("saml", "#{name}_last_auth_extra", extra_data.inspect)
    end

    if setting(:debug_auth)
      data = { uid: uid, info: info, attributes: attributes }
      log("#{name}_auth: #{data.inspect}")
    end

    result.skip_email_validation = true if setting(:skip_email_validation)

    if result.user.blank?
      result.username = "" if setting(:clear_username)
      result.user = auto_create_account(result, uid) if setting(:auto_create_account) &&
        result.email_valid
    else
      user = result.user
      sync_groups(user, attributes, info)
      sync_custom_fields(user, attributes, info)
      sync_moderator(user, attributes)
      sync_admin(user, attributes)
      sync_trust_level(user, attributes)
      sync_locale(user, attributes)
    end

    result.overrides_username = setting(:omit_username)
    result.overrides_email = setting(:sync_email)

    result
  end

  def log(info)
    Rails.logger.warn("SAML Debugging: #{info}") if setting(:debug_auth)
  end

  def after_create_account(user, auth)
    super

    uaa =
      UserAssociatedAccount.find_by(
        provider_name: auth.extra_data[:provider],
        provider_uid: auth.extra_data[:uid],
      )

    info = OmniAuth::AuthHash::InfoHash.new(uaa.info)
    attributes = OneLogin::RubySaml::Attributes.new(uaa.extra&.[]("raw_info") || {})

    sync_groups(user, attributes, info)
    sync_moderator(user, attributes)
    sync_admin(user, attributes)
    sync_trust_level(user, attributes)
    sync_custom_fields(user, attributes, info)
    sync_locale(user, attributes)
  end

  def auto_create_account(result, uid)
    try_email = result.email.presence
    return if User.find_by_email(try_email).present?

    # Use a mutex here to counter SAML responses that are sent at the same time and the same email payload
    DistributedMutex.synchronize("discourse_saml_#{try_email}") do
      user_params = {
        primary_email: UserEmail.new(email: try_email, primary: true),
        name: resolve_name(result.name, result.username, result.email),
        username: resolve_username(result.username, result.name, result.email, uid),
        active: true,
      }

      user = User.create!(user_params)

      session_data = result.session_data
      after_create_result = Auth::Result.from_session_data(session_data, user: user)

      after_create_account(user, after_create_result)

      user
    end
  end

  def sync_groups(user, attributes, info)
    return unless setting(:sync_groups).present?

    groups_fullsync = setting(:groups_fullsync)
    raw_group_list = attributes.multi(setting(:groups_attribute)) || []
    user_group_list = raw_group_list.map { |g| g.downcase.split(",") }.flatten

    if setting(:groups_ldap_leafcn).present?
      # Change cn=groupname,cn=groups,dc=example,dc=com to groupname
      user_group_list = user_group_list.map { |group| group.split("=", 2).last }
    end

    if groups_fullsync
      user_has_groups = user.groups.where(automatic: false).pluck(:name).map(&:downcase)
      groups_to_add = user_group_list - user_has_groups
      groups_to_remove = user_has_groups - user_group_list if user_has_groups.present?
    else
      total_group_list = setting(:sync_groups_list).split("|").map(&:downcase)

      groups_to_add = info["groups_to_add"] || attributes.multi("groups_to_add")&.join(",") || ""
      groups_to_add = groups_to_add.downcase.split(",")
      groups_to_add += user_group_list

      groups_to_remove =
        info["groups_to_remove"] || attributes.multi("groups_to_remove")&.join(",") || ""
      groups_to_remove = groups_to_remove.downcase.split(",")

      if total_group_list.present?
        groups_to_add = total_group_list & groups_to_add

        removable_groups = groups_to_remove.dup
        groups_to_remove = total_group_list - groups_to_add
        groups_to_remove &= removable_groups if removable_groups.present?
      end
    end

    return if user_group_list.blank? && groups_to_add.blank? && groups_to_remove.blank?

    Group
      .where("LOWER(name) IN (?) AND NOT automatic", groups_to_add)
      .each { |group| group.add user }

    Group
      .where("LOWER(name) IN (?) AND NOT automatic", groups_to_remove)
      .each { |group| group.remove user }
  end

  def sync_custom_fields(user, attributes, info)
    return if user.blank?

    request_attributes.each do |attr|
      key = attr[:name]
      val = info[key] || attributes.multi(key)&.join(",")
      user.custom_fields["#{name}_#{key}"] = val if val.present?
    end

    sync_user_fields(user, attributes, info)
    user.save_custom_fields
  end

  def sync_user_fields(user, attributes, info)
    statements = setting(:user_field_statements) || ""

    statements
      .split("|")
      .each do |statement|
      key, field_id = statement.split(":")
      next if key.blank? || field_id.blank?

      val = info[key] || attributes.multi(key)&.join(",")
      user.custom_fields["user_field_#{field_id}"] = val if val.present?
    end
  end

  def sync_moderator(user, attributes)
    return unless setting(:sync_moderator)

    is_moderator_attribute = setting(:moderator_attribute) || "isModerator"
    is_moderator = %w[1 true].include?(attributes.single(is_moderator_attribute).to_s.downcase)

    return if user.moderator == is_moderator

    user.moderator = is_moderator
    user.save
  end

  def sync_admin(user, attributes)
    return unless setting(:sync_admin)

    is_admin_attribute = setting(:admin_attribute) || "isAdmin"
    is_admin = %w[1 true].include?(attributes.single(is_admin_attribute).to_s.downcase)

    return if user.admin == is_admin

    user.admin = is_admin
    user.save
  end

  def sync_trust_level(user, attributes)
    return unless setting(:sync_trust_level)

    trust_level_attribute = setting(:trust_level_attribute) || "trustLevel"
    level = attributes.single(trust_level_attribute).to_i

    return unless level.between?(1, 4)

    if user.manual_locked_trust_level != level
      user.manual_locked_trust_level = level
      user.save
    end

    return if user.trust_level == level

    user.change_trust_level!(level, log_action_for: user)
  end

  def sync_locale(user, attributes)
    return unless setting(:sync_locale)

    locale_attribute = setting(:locale_attribute) || "locale"
    locale = attributes.single(locale_attribute)

    return unless LocaleSiteSetting.valid_value?(locale)

    if user.locale != locale
      user.locale = locale
      user.save
    end
  end

  def enabled?
    # Checking target_url global setting for backwards compatibility
    # (the plugin used to be enabled-by-default)
    setting(:enabled) || !!GlobalSetting.try("#{name}_target_url")
  end

  def can_connect_existing_user?
    false
  end

  def can_revoke?
    false
  end

  def self.saml_base_url
    DiscourseSaml.setting(:base_url).presence || Discourse.base_url
  end

  private

  def idp_cert_multi
    return unless setting(:cert_multi).present?

    certificates = setting(:cert_multi).split("|")
    certificates.push(setting(:cert)) if setting(:cert).present?

    { signing: certificates, encryption: [] }
  end

  def resolve_name(name, username, email)
    return name if name.present?

    suggester_input = username.presence
    suggester_input ||= email if SiteSetting.use_email_for_username_and_name_suggestions
    User.suggest_name(suggester_input)
  end

  def resolve_username(username, name, email, uid)
    suggester_input = [username, name]
    suggester_input << email if SiteSetting.use_email_for_username_and_name_suggestions
    suggester_input << uid

    UserNameSuggester.suggest(*suggester_input)
  end
end