WIP Updates to sso

lagoan · lagoan · commit d645bb605cb7 · 2024-08-14T14:14:33.000-06:00
Adding some missing methods and start cleanup.

We still need to clean up and fix the `openid_connect` method on
`omniauth_callbacks_controller.rb`.
diff --git a/Gemfile b/Gemfile
@@ -107,8 +107,7 @@ gem 'omniauth-orcid'
 #   https://nvd.nist.gov/vuln/detail/CVE-2015-9284
 gem 'omniauth-rails_csrf_protection'
 
-#This gem provides cilogon support with devise login authentication
-#This is a part of omniauth
+# This gem provides cilogon support with devise login authentication
 gem 'omniauth_openid_connect'
 
 # A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
@@ -23,7 +23,7 @@ def index
       else
         redirect_to plans_url
       end
-    elsif session['devise.shibboleth_data'].present?# || session['devise.openid_connect_data'].present?
+    elsif session['devise.shibboleth_data'].present?
       # NOTE: Update this to handle ORCiD as well when we enable it as a login method
       redirect_to new_user_registration_url
     end
diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -3,51 +3,33 @@
 module Users
   # Controller that handles callbacks from OmniAuth integrations (e.g. Shibboleth and ORCID)
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
-    ##
-    # Dynamically build a handler for each omniauth provider
-    # -------------------------------------------------------------
-    IdentifierScheme.for_authentication.each do |scheme|
-      define_method(scheme.name.downcase) do
-        handle_omniauth(scheme)
-      end
-    end
-
-
-  #   def openid_connect
-  #     @user = User.from_omniauth(request.env["omniauth.auth"])
-
-  #     if @user.present?
-  #         sign_in_and_redirect @user, event: :authentication
-  #         set_flash_message(:notice, :success, kind: "OpenID Connect") if is_navigational_format?
-  #     else
-  #         session["devise.openid_connect_data"] = request.env["omniauth.auth"]
-  #         redirect_to new_user_registration_url
-  #     end
-  # end
-
-
-
-
-    #This is for the OpenidConnect CILogon
-
+    # This is for the OpenidConnect CILogon
     def openid_connect
       # First or create
       auth = request.env['omniauth.auth']
       user = User.from_omniauth(auth)
-      identifier_scheme = IdentifierScheme.find_by_name(auth.provider)
 
       if auth.info.email.nil? && user.nil?
-        #If email is missing we need to request the user to register with DMP. 
-        #User email can be missing if the user email id is set to private or trusted clients only we won't get the value. 
-        #USer email id is one of the mandatory field which is must required.
-        flash[:notice] = 'Please try sign-up with DMP assistant.'
+        # If email is missing we need to request the user to register with DMP.
+        # User email can be missing if the user email id is set to private or
+        # trusted clients only we won't get the value.
+        # User email id is one of the mandatory field which is must required.
+
+        flash[:notice] =
+          "Your institution's current settings do not provide an email address, which is necessary for registration. " \
+          'To proceed, please update your settings to make your email address visible. Alternatively, you can ' \
+          'create an account directly on DMP Assistant.'
         redirect_to new_user_registration_path
-      elsif current_user.nil?
+      end
+
+      identifier_scheme = IdentifierScheme.find_by_name(auth.provider)
+
+      if current_user.nil?
         # We need to register
         if user.nil?
           # Register and sign in
           user = User.create_from_provider_data(auth)
-          Identifier.create(identifier_scheme: identifier_scheme, #auth.provider, #scheme, #IdentifierScheme.last.id,
+          Identifier.create(identifier_scheme: identifier_scheme, # auth.provider, #scheme, #IdentifierScheme.last.id,
                             value: auth.uid,
                             attrs: auth,
                             identifiable: user)
@@ -59,15 +41,13 @@ def openid_connect
         Identifier.create(identifier_scheme: identifier_scheme,
                           value: auth.uid,
                           attrs: auth,
-                          identifiable: current_user)
+                          identifiable: user)
 
         flash[:notice] = 'linked succesfully'
         redirect_to root_path
       end
     end
 
-
-
     # Processes callbacks from an omniauth provider and directs the user to
     # the appropriate page:
     #   Not logged in and uid had no match ---> Sign Up page
@@ -82,33 +62,23 @@ def openid_connect
     def handle_omniauth(scheme)
       user = if request.env['omniauth.auth'].nil?
                User.from_omniauth(request.env)
-            else 
-               User.from_omniauth(request.env['rack.session'] )
+             else
+               User.from_omniauth(request.env['omniauth.auth'])
              end
 
       # If the user isn't logged in
       if current_user.nil?
         # If the uid didn't have a match in the system send them to register
         if user.nil?
           session["devise.#{scheme.name.downcase}_data"] = request.env['omniauth.auth']
+
           redirect_to new_user_registration_url
 
         # Otherwise sign them in
         elsif scheme.name == 'shibboleth'
           # Until ORCID becomes supported as a login method
           set_flash_message(:notice, :success, kind: scheme.description) if is_navigational_format?
           sign_in_and_redirect user, event: :authentication
-        elsif schema.name == "openid_connect"
-          @user = User.from_omniauth(request.env["omniauth.auth"])
-          Rails.logger.info "OmniAuth Auth Hash: #{request.env["omniauth.auth"]}"
-  
-          if @user.persisted?
-              sign_in_and_redirect @user, event: :authentication
-              set_flash_message(:notice, :success, kind: "OpenID Connect") if is_navigational_format?
-          else
-              session["devise.openid_connect_data"] = request.env["omniauth.auth"]
-              redirect_to new_user_registration_url
-          end
         else
           flash[:notice] = _('Successfully signed in')
           redirect_to new_user_registration_url
@@ -119,13 +89,12 @@ def handle_omniauth(scheme)
         # If the user could not be found by that uid then attach it to their record
         if user.nil?
           if Identifier.create(identifier_scheme: scheme,
-                               value: request.env['rack.session']['omniauth.state'],#request.env['omniauth.auth'].uid,
-                               attrs: request.env['rack.session']['omniauth.nonce'],#request.env['omniauth.auth'],
+                               value: request.env['omniauth.auth'].uid,
+                               attrs: request.env['omniauth.auth'],
                                identifiable: current_user)
             flash[:notice] =
               format(_('Your account has been successfully linked to %{scheme}.'),
                      scheme: scheme.description)
-            redirect_to new_user_registration_url
 
           else
             flash[:alert] = format(_('Unable to link your account to %{scheme}.'),
@@ -145,7 +114,13 @@ def handle_omniauth(scheme)
       end
     end
 
+    def orcid
+      handle_omniauth(IdentifierScheme.for_authentication.find_by(name: 'orcid'))
+    end
 
+    def shibboleth
+      handle_omniauth(IdentifierScheme.for_authentication.find_by(name: 'shibboleth'))
+    end
 
     # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
     # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -177,39 +177,30 @@ class User < ApplicationRecord
   ##
   # Load the user based on the scheme and id provided by the Omniauth call
   def self.from_omniauth(auth)
-    # byebug
-    Identifier.by_scheme_name(auth.provider.downcase.to_s, 'User')
-                .where(value: auth.uid)
-                .first&.identifiable
-              # end
-
-
-  #             Rails.logger.info "OmniAuth Auth Hash: #{auth.inspect}"
-              # where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
-              #   user.provider = auth.provider
-              #   user.uid = auth.uid
-              #   user.email = auth.info.email
-              #   user.password = Devise.friendly_token[0,20]
-              # end
-  #             # # .where(value: auth.info.eppn) #need to add a cilogon condition for this
-  #             # .first&.identifiable
-  #             # .where(value: auth.uid).first_or_create do |user|
-  #             #   user.email = auth.info.email
-  #             #   user.password = Devise.friendly_token[0, 20]
-  #             #   user.name = auth.info.name   # if the User model has a name
-  #             # end
+    Identifier.by_scheme_name(auth.provider.downcase, 'User')
+              .where(value: auth.uid)
+              .first&.identifiable
   end
 
+  ##
+  # Handle user creation from provider
+  def self.create_from_provider_data(provider_data)
+    user = User.find_by email: provider_data.info.email
+
+    return user if user
+
+    user = User.new(
+      firstname: provider_data.info.first_name,
+      surname: provider_data.info.last_name,
+      email: provider_data.info.email,
+      # We don't know which organization to setup so we will use other
+      org: Org.find_by(is_other: true),
+      accept_terms: true,
+      password: Devise.friendly_token[0, 20]
+    )
 
-  # def self.from_omniauth(auth)
-  #   Rails.logger.info "OmniAuth Auth Hash: #{auth.inspect}"
-	#   where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
-	# 	  user.provider = auth.provider
-	# 	  user.uid = auth.uid
-	# 	  user.email = auth.info.email if !auth.info.email_verified.nil?
-	# 	  user.password = Devise.friendly_token[0,20]
-	#   end
-  # end
+    user.save!
+  end
 
   def self.to_csv(users)
     User::AtCsv.new(users).to_csv
diff --git a/app/presenters/identifier_presenter.rb b/app/presenters/identifier_presenter.rb
@@ -40,7 +40,6 @@ def load_schemes
     # Shibboleth Org identifiers are only for use by installations that have
     # a curated list of Orgs that can use institutional login
     if @identifiable.is_a?(Org) &&
-      # byebug
        !Rails.configuration.x.shibboleth.use_filtered_discovery_service
       schemes = schemes.reject { |scheme| scheme.name.casecmp('shibboleth').zero? }
     end
diff --git a/config/initializers/_dmproadmap.rb b/config/initializers/_dmproadmap.rb
@@ -150,8 +150,6 @@ class Application < Rails::Application
     # A super admin will also be able to associate orgs with their shibboleth entityIds if this is set to true
     config.x.shibboleth.use_filtered_discovery_service = false
 
-
-
     # ------------------- #
     # OPENID_CONNECT/CILOGON SETTINGS #
     # ------------------- #
@@ -172,7 +170,6 @@ class Application < Rails::Application
     # A super admin will also be able to associate orgs with their CILogon entityIds if this is set to true
     config.x.openid_connect.use_filtered_discovery_service = true
 
-
     # ------- #
     # LOCALES #
     # ------- #
diff --git a/config/initializers/cookie_size.rb b/config/initializers/cookie_size.rb
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -282,8 +282,7 @@
                     extra_fields: []
                   }
 
-
-  # XXX First attempt of the openid_connect XXX         
+  # XXX First attempt of the openid_connect XXX
   # config.omniauth :openid_connect,  {
   #                   name: :cilogon,
   #                   issuer: 'https://cilogon.org/',
@@ -320,47 +319,46 @@
   #                   }
   #                 }
 
-
   # XXX Third attempt of the openid_connect XXX
-      # config.omniauth :openid_connect, {
-                    #   name: :cilogon,
-                    #   issuer: ' https://cilogon.org/oauth2/device_authorization',
-                    #   scope: [:openid, :profile, :email, 'org.cilogon.userinfo'],
-                    #   uid_field: :sub,
-                    #   response_type: :code,
-                    #   client_options: {
-                    #     identifier: ENV['CILOGON_CLIENT_ID'],
-                    #     secret: ENV['CILOGON_SECRET_KEY'],
-                    #     redirect_uri: "http://localhost:3000/users/auth/openid_connect/callback",
-                    #     host: 'cilogon.org',
-                    #     authorization_endpoint:"https://cilogon.org/authorize",
-                    #     token_endpoint:"https://cilogon.org/oauth2/token",
-                    #     registration_endpoint:"https://cilogon.org/oauth2/oidc-cm",
-                    #     userinfo_endpoint:"https://cilogon.org/oauth2/userinfo",
-                    #     # authorization_endpoint: '/oauth2/device_authorization',
-                    #     # token_endpoint: '/oauth2/token',
-                    #     # userinfo_endpoint: '/oauth2/userinfo'
-                    #   }
-                    # }
+  # config.omniauth :openid_connect, {
+  #   name: :cilogon,
+  #   issuer: ' https://cilogon.org/oauth2/device_authorization',
+  #   scope: [:openid, :profile, :email, 'org.cilogon.userinfo'],
+  #   uid_field: :sub,
+  #   response_type: :code,
+  #   client_options: {
+  #     identifier: ENV['CILOGON_CLIENT_ID'],
+  #     secret: ENV['CILOGON_SECRET_KEY'],
+  #     redirect_uri: "http://localhost:3000/users/auth/openid_connect/callback",
+  #     host: 'cilogon.org',
+  #     authorization_endpoint:"https://cilogon.org/authorize",
+  #     token_endpoint:"https://cilogon.org/oauth2/token",
+  #     registration_endpoint:"https://cilogon.org/oauth2/oidc-cm",
+  #     userinfo_endpoint:"https://cilogon.org/oauth2/userinfo",
+  #     # authorization_endpoint: '/oauth2/device_authorization',
+  #     # token_endpoint: '/oauth2/token',
+  #     # userinfo_endpoint: '/oauth2/userinfo'
+  #   }
+  # }
 
   # XXX the 4th attempt of this is final final XXX
 
-      config.omniauth :openid_connect, {
-                      name: :openid_connect,
-                      scope: [:openid], #:email], #:profile],#, :"org.cilogon.userinfo"],
-                      response_type: :code,
-                      issuer: "https://cilogon.org",
-                      discovery: true,
-                      client_options: {
-                        uid_field: "sub",
-                        port: 443,
-                        scheme: "https",
-                        host: "cilogon.org",
-                        identifier: ENV['CILOGON_CLIENT_ID'],
-                        secret: ENV['CILOGON_SECRET_KEY'],
-                        redirect_uri: "http://127.0.0.1:3000/users/auth/openid_connect/callback"
-                      },
-                    }
+  config.omniauth :openid_connect, {
+    name: :openid_connect,
+    scope: %i[openid email profile org.cilogon.userinfo],
+    response_type: :code,
+    issuer: "https://cilogon.org",
+    discovery: true,
+    client_options: {
+      uid_field: "sub",
+      port: 443,
+      scheme: "https",
+      host: "cilogon.org",
+      identifier: ENV.fetch('CILOGON_CLIENT_ID', nil),
+      secret: ENV.fetch('CILOGON_SECRET_KEY', nil),
+      redirect_uri: "http://127.0.0.1:3000/users/auth/openid_connect/callback"
+    }
+  }
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
