Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
D
Discourse SAML
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Giacomo Vercesi
Discourse SAML
Commits
b2fa01fa
Commit
b2fa01fa
authored
7 years ago
by
Arpit Jalan
Browse files
Options
Downloads
Patches
Plain Diff
improve plugin structure and add specs
parent
e136a779
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
lib/saml_authenticator.rb
+131
-0
131 additions, 0 deletions
lib/saml_authenticator.rb
plugin.rb
+2
-131
2 additions, 131 deletions
plugin.rb
spec/saml_authenticator_spec.rb
+39
-0
39 additions, 0 deletions
spec/saml_authenticator_spec.rb
with
172 additions
and
131 deletions
lib/saml_authenticator.rb
0 → 100644
+
131
−
0
View file @
b2fa01fa
class
SamlAuthenticator
<
::
Auth
::
OAuth2Authenticator
def
register_middleware
(
omniauth
)
omniauth
.
provider
:saml
,
:name
=>
'saml'
,
:issuer
=>
Discourse
.
base_url
,
:idp_sso_target_url
=>
GlobalSetting
.
try
(
:saml_target_url
),
:idp_cert_fingerprint
=>
GlobalSetting
.
try
(
:saml_cert_fingerprint
),
:idp_cert
=>
GlobalSetting
.
try
(
:saml_cert
),
:attribute_statements
=>
{
:nickname
=>
[
'screenName'
]
},
:assertion_consumer_service_url
=>
Discourse
.
base_url
+
"/auth/saml/callback"
,
:custom_url
=>
(
GlobalSetting
.
try
(
:saml_request_method
)
==
'post'
)
?
"/discourse_saml"
:
nil
,
:certificate
=>
GlobalSetting
.
try
(
:saml_sp_certificate
),
:private_key
=>
GlobalSetting
.
try
(
:saml_sp_private_key
),
:security
=>
{
authn_requests_signed:
GlobalSetting
.
try
(
:saml_authn_requests_signed
)
?
true
:
false
,
want_assertions_signed:
GlobalSetting
.
try
(
:saml_want_assertions_signed
)
?
true
:
false
,
signature_method:
XMLSecurity
::
Document
::
RSA_SHA1
}
end
def
after_authenticate
(
auth
)
result
=
Auth
::
Result
.
new
if
GlobalSetting
.
try
(
:saml_log_auth
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth"
,
auth
.
inspect
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth_raw_info"
,
auth
.
extra
[
:raw_info
].
inspect
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth_extra"
,
auth
.
extra
.
inspect
)
end
if
GlobalSetting
.
try
(
:saml_debug_auth
)
log
(
"saml_auth_info:
#{
auth
[
:info
].
inspect
}
"
)
log
(
"saml_auth_extra:
#{
auth
.
extra
.
inspect
}
"
)
end
uid
=
auth
[
:uid
]
result
.
name
=
auth
[
:info
].
name
||
uid
result
.
username
=
uid
if
auth
.
extra
.
present?
&&
auth
.
extra
[
:raw_info
].
present?
result
.
username
=
auth
.
extra
[
:raw_info
].
attributes
[
'screenName'
].
try
(
:first
)
||
uid
end
if
GlobalSetting
.
try
(
:saml_use_uid
)
&&
auth
.
extra
.
present?
&&
auth
.
extra
[
:raw_info
].
present?
result
.
username
=
auth
.
extra
[
:raw_info
].
attributes
[
'uid'
].
try
(
:first
)
||
uid
end
result
.
email
=
auth
[
:info
].
email
||
uid
result
.
email_valid
=
true
if
result
.
respond_to?
(
:skip_email_validation
)
&&
GlobalSetting
.
try
(
:saml_skip_email_validation
)
result
.
skip_email_validation
=
true
end
saml_user_info
=
::
PluginStore
.
get
(
"saml"
,
"saml_user_
#{
uid
}
"
)
if
saml_user_info
result
.
user
=
User
.
where
(
id:
saml_user_info
[
:user_id
]).
first
end
result
.
user
||=
User
.
find_by_email
(
result
.
email
)
if
saml_user_info
.
nil?
&&
result
.
user
::
PluginStore
.
set
(
"saml"
,
"saml_user_
#{
uid
}
"
,
{
user_id:
result
.
user
.
id
})
end
if
GlobalSetting
.
try
(
:saml_clear_username
)
&&
result
.
user
.
blank?
result
.
username
=
''
end
if
GlobalSetting
.
try
(
:saml_omit_username
)
&&
result
.
user
.
blank?
result
.
omit_username
=
true
end
result
.
extra_data
=
{
saml_user_id:
uid
}
if
GlobalSetting
.
try
(
:saml_sync_groups
)
groups
=
auth
.
extra
[
:raw_info
].
attributes
[
'memberOf'
]
if
result
.
user
.
blank?
result
.
extra_data
[
:saml_groups
]
=
groups
else
sync_groups
(
result
.
user
,
groups
)
end
end
sync_email
(
result
.
user
,
Email
.
downcase
(
result
.
email
))
if
GlobalSetting
.
try
(
:saml_sync_email
)
&&
result
.
user
.
present?
&&
result
.
user
.
email
!=
Email
.
downcase
(
result
.
email
)
result
end
def
log
(
info
)
Rails
.
logger
.
warn
(
"SAML Debugging:
#{
info
}
"
)
if
GlobalSetting
.
try
(
:saml_debug_auth
)
end
def
after_create_account
(
user
,
auth
)
::
PluginStore
.
set
(
"saml"
,
"saml_user_
#{
auth
[
:extra_data
][
:saml_user_id
]
}
"
,
{
user_id:
user
.
id
})
sync_groups
(
user
,
auth
[
:extra_data
][
:saml_groups
])
end
def
sync_groups
(
user
,
saml_groups
)
return
unless
GlobalSetting
.
try
(
:saml_sync_groups
)
&&
GlobalSetting
.
try
(
:saml_sync_groups_list
)
&&
saml_groups
.
present?
total_group_list
=
GlobalSetting
.
try
(
:saml_sync_groups_list
).
split
(
'|'
)
user_group_list
=
saml_groups
groups_to_add
=
Group
.
where
(
name:
total_group_list
&
user_group_list
)
groups_to_add
.
each
do
|
group
|
group
.
add
user
end
groups_to_remove
=
Group
.
where
(
name:
total_group_list
-
user_group_list
)
groups_to_remove
.
each
do
|
group
|
group
.
remove
user
end
end
def
sync_email
(
user
,
email
)
return
unless
GlobalSetting
.
try
(
:saml_sync_email
)
existing_user
=
User
.
find_by_email
(
email
)
if
email
=~
EmailValidator
.
email_regex
&&
existing_user
.
nil?
user
.
email
=
email
user
.
save
end
end
end
This diff is collapsed.
Click to expand it.
plugin.rb
+
2
−
131
View file @
b2fa01fa
...
...
@@ -10,138 +10,9 @@ gem 'uuid', '2.3.7'
gem
'ruby-saml'
,
'1.3.1'
gem
"omniauth-saml"
,
'1.6.0'
request_method
=
GlobalSetting
.
try
(
:saml_request_method
)
||
'get'
class
SamlAuthenticator
<
::
Auth
::
OAuth2Authenticator
def
register_middleware
(
omniauth
)
omniauth
.
provider
:saml
,
:name
=>
'saml'
,
:issuer
=>
Discourse
.
base_url
,
:idp_sso_target_url
=>
GlobalSetting
.
try
(
:saml_target_url
),
:idp_cert_fingerprint
=>
GlobalSetting
.
try
(
:saml_cert_fingerprint
),
:idp_cert
=>
GlobalSetting
.
try
(
:saml_cert
),
:attribute_statements
=>
{
:nickname
=>
[
'screenName'
]
},
:assertion_consumer_service_url
=>
Discourse
.
base_url
+
"/auth/saml/callback"
,
:custom_url
=>
(
GlobalSetting
.
try
(
:saml_request_method
)
==
'post'
)
?
"/discourse_saml"
:
nil
,
:certificate
=>
GlobalSetting
.
try
(
:saml_sp_certificate
),
:private_key
=>
GlobalSetting
.
try
(
:saml_sp_private_key
),
:security
=>
{
authn_requests_signed:
GlobalSetting
.
try
(
:saml_authn_requests_signed
)
?
true
:
false
,
want_assertions_signed:
GlobalSetting
.
try
(
:saml_want_assertions_signed
)
?
true
:
false
,
signature_method:
XMLSecurity
::
Document
::
RSA_SHA1
}
end
def
after_authenticate
(
auth
)
result
=
Auth
::
Result
.
new
if
GlobalSetting
.
try
(
:saml_log_auth
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth"
,
auth
.
inspect
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth_raw_info"
,
auth
.
extra
[
:raw_info
].
inspect
)
::
PluginStore
.
set
(
"saml"
,
"saml_last_auth_extra"
,
auth
.
extra
.
inspect
)
end
if
GlobalSetting
.
try
(
:saml_debug_auth
)
log
(
"saml_auth_info:
#{
auth
[
:info
].
inspect
}
"
)
log
(
"saml_auth_extra:
#{
auth
.
extra
.
inspect
}
"
)
end
uid
=
auth
[
:uid
]
result
.
name
=
auth
[
:info
].
name
||
uid
result
.
username
=
uid
if
auth
.
extra
.
present?
&&
auth
.
extra
[
:raw_info
].
present?
result
.
username
=
auth
.
extra
[
:raw_info
].
attributes
[
'screenName'
].
try
(
:first
)
||
uid
end
if
GlobalSetting
.
try
(
:saml_use_uid
)
&&
auth
.
extra
.
present?
&&
auth
.
extra
[
:raw_info
].
present?
result
.
username
=
auth
.
extra
[
:raw_info
].
attributes
[
'uid'
].
try
(
:first
)
||
uid
end
result
.
email
=
auth
[
:info
].
email
||
uid
result
.
email_valid
=
true
if
result
.
respond_to?
(
:skip_email_validation
)
&&
GlobalSetting
.
try
(
:saml_skip_email_validation
)
result
.
skip_email_validation
=
true
end
saml_user_info
=
::
PluginStore
.
get
(
"saml"
,
"saml_user_
#{
uid
}
"
)
if
saml_user_info
result
.
user
=
User
.
where
(
id:
saml_user_info
[
:user_id
]).
first
end
result
.
user
||=
User
.
find_by_email
(
result
.
email
)
if
saml_user_info
.
nil?
&&
result
.
user
::
PluginStore
.
set
(
"saml"
,
"saml_user_
#{
uid
}
"
,
{
user_id:
result
.
user
.
id
})
end
if
GlobalSetting
.
try
(
:saml_clear_username
)
&&
result
.
user
.
blank?
result
.
username
=
''
end
if
GlobalSetting
.
try
(
:saml_omit_username
)
&&
result
.
user
.
blank?
result
.
omit_username
=
true
end
result
.
extra_data
=
{
saml_user_id:
uid
}
if
GlobalSetting
.
try
(
:saml_sync_groups
)
groups
=
auth
.
extra
[
:raw_info
].
attributes
[
'memberOf'
]
if
result
.
user
.
blank?
result
.
extra_data
[
:saml_groups
]
=
groups
else
sync_groups
(
result
.
user
,
groups
)
end
end
sync_email
(
result
.
user
,
Email
.
downcase
(
result
.
email
))
if
GlobalSetting
.
try
(
:saml_sync_email
)
&&
result
.
user
.
present?
&&
result
.
user
.
email
!=
Email
.
downcase
(
result
.
email
)
result
end
def
log
(
info
)
Rails
.
logger
.
warn
(
"SAML Debugging:
#{
info
}
"
)
if
GlobalSetting
.
try
(
:saml_debug_auth
)
end
def
after_create_account
(
user
,
auth
)
::
PluginStore
.
set
(
"saml"
,
"saml_user_
#{
auth
[
:extra_data
][
:saml_user_id
]
}
"
,
{
user_id:
user
.
id
})
sync_groups
(
user
,
auth
[
:extra_data
][
:saml_groups
])
end
def
sync_groups
(
user
,
saml_groups
)
return
unless
GlobalSetting
.
try
(
:saml_sync_groups
)
&&
GlobalSetting
.
try
(
:saml_sync_groups_list
)
&&
saml_groups
.
present?
total_group_list
=
GlobalSetting
.
try
(
:saml_sync_groups_list
).
split
(
'|'
)
user_group_list
=
saml_groups
require_relative
(
"lib/saml_authenticator"
)
groups_to_add
=
Group
.
where
(
name:
total_group_list
&
user_group_list
)
groups_to_add
.
each
do
|
group
|
group
.
add
user
end
groups_to_remove
=
Group
.
where
(
name:
total_group_list
-
user_group_list
)
groups_to_remove
.
each
do
|
group
|
group
.
remove
user
end
end
def
sync_email
(
user
,
email
)
return
unless
GlobalSetting
.
try
(
:saml_sync_email
)
existing_user
=
User
.
find_by_email
(
email
)
if
email
=~
EmailValidator
.
email_regex
&&
existing_user
.
nil?
user
.
email
=
email
user
.
save
end
end
end
request_method
=
GlobalSetting
.
try
(
:saml_request_method
)
||
'get'
if
request_method
==
'post'
after_initialize
do
...
...
This diff is collapsed.
Click to expand it.
spec/saml_authenticator_spec.rb
0 → 100644
+
39
−
0
View file @
b2fa01fa
require
'rails_helper'
describe
SamlAuthenticator
do
context
'after_authenticate'
do
before
do
@authenticator
=
SamlAuthenticator
.
new
(
'saml'
)
@uid
=
123456
@user
=
Fabricate
(
:user
)
end
it
'finds user by email'
do
hash
=
OmniAuth
::
AuthHash
.
new
(
uid:
"654321"
,
info:
{
name:
"John Doe"
,
email:
@user
.
email
}
)
result
=
@authenticator
.
after_authenticate
(
hash
)
expect
(
result
.
user
.
email
).
to
eq
(
@user
.
email
)
end
it
'finds user by uid'
do
PluginStore
.
set
(
"saml"
,
"saml_user_
#{
@uid
}
"
,
{
user_id:
@user
.
id
})
hash
=
OmniAuth
::
AuthHash
.
new
(
uid:
@uid
,
info:
{
name:
"John Doe"
,
email:
"john_doe@example.com"
}
)
result
=
@authenticator
.
after_authenticate
(
hash
)
expect
(
result
.
user
.
email
).
to
eq
(
@user
.
email
)
end
end
end
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment