decidim-msad 0.22.0

data/Rakefile

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "decidim/dev/common_rake"
+
+desc "Generates a dummy app for testing"
+task test_app: "decidim:generate_external_test_app" do
+  Dir.chdir("spec/decidim_dummy_app") do
+    system("bundle exec rails generate decidim:msad:install --test-initializer true")
+  end
+end
+
+desc "Generates a development app."
+task development_app: "decidim:generate_external_development_app" do
+  Dir.chdir("development_app") do
+    system("bundle exec rails generate decidim:msad:install")
+  end
+end

data/app/controllers/decidim/msad/omniauth_callbacks_controller.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    class OmniauthCallbacksController < ::Decidim::Devise::OmniauthRegistrationsController
+      # Make the view helpers available needed in the views
+      helper Decidim::Msad::Engine.routes.url_helpers
+      helper_method :omniauth_registrations_path
+
+      skip_before_action :verify_authenticity_token, only: [:msad, :failure]
+      skip_after_action :verify_same_origin_request, only: [:msad, :failure]
+
+      # This is called always after the user returns from the authentication
+      # flow from the Active Directory identity provider.
+      def msad
+        session["decidim-msad.signed_in"] = true
+
+        authenticator.validate!
+
+        if user_signed_in?
+          # The user is most likely returning from an authorization request
+          # because they are already signed in. In this case, add the
+          # authorization and redirect the user back to the authorizations view.
+
+          # Make sure the user has an identity created in order to aid future
+          # Active Directory sign ins. In case this fails, it will raise a
+          # Decidim::Msad::Authentication::IdentityBoundToOtherUserError
+          # which is handled below.
+          authenticator.identify_user!(current_user)
+
+          # Add the authorization for the user
+          return fail_authorize unless authorize_user(current_user)
+
+          # Make sure the user details are up to date
+          authenticator.update_user!(current_user)
+
+          # Show the success message and redirect back to the authorizations
+          flash[:notice] = t(
+            "authorizations.create.success",
+            scope: "decidim.msad.verification"
+          )
+          return redirect_to(
+            stored_location_for(resource || :user) ||
+            decidim_verifications.authorizations_path
+          )
+        end
+
+        # Normal authentication request, proceed with Decidim's internal logic.
+        send(:create)
+      rescue Decidim::Msad::Authentication::ValidationError => e
+        fail_authorize(e.validation_key)
+      rescue Decidim::Msad::Authentication::IdentityBoundToOtherUserError
+        fail_authorize(:identity_bound_to_other_user)
+      end
+
+      def failure
+        strategy = failed_strategy
+        saml_response = strategy.response_object if strategy
+        return super unless saml_response
+
+        # In case we want more info about the returned status codes, use the
+        # code below.
+        #
+        # Status codes:
+        #   Requester = A problem with the request OR the user cancelled the
+        #               request at the identity provider.
+        #   Responder = The handling of the request failed.
+        #   VersionMismatch = Wrong version in the request.
+        #
+        # Additional state codes:
+        #   AuthnFailed = The authentication failed OR the user cancelled
+        #                 the process at the identity provider.
+        #   RequestDenied = The authenticating endpoint (which the
+        #                   identity provider redirects to) rejected the
+        #                   authentication.
+        # if !saml_response.send(:validate_success_status) && !saml_response.status_code.nil?
+        #   codes = saml_response.status_code.split(" | ").map do |full_code|
+        #     full_code.split(":").last
+        #   end
+        # end
+
+        # Some extra validation checks
+        validations = [
+          # The success status validation fails in case the response status
+          # code is something else than "Success". This is most likely because
+          # of one the reasons explained above. In general there are few
+          # possible explanations for this:
+          # 1. The user cancelled the request and returned to the service.
+          # 2. The underlying identity service the IdP redirects to rejected
+          #    the request for one reason or another. E.g. the user cancelled
+          #    the request at the identity service.
+          # 3. There is some technical problem with the identity provider
+          #    service or the XML request sent to there is malformed.
+          :success_status,
+          # Checks if the local session should be expired, i.e. if the user
+          # took too long time to go through the authorization endpoint.
+          :session_expiration,
+          # The NotBefore and NotOnOrAfter conditions failed, i.e. whether the
+          # request is handled within the allowed timeframe by the IdP.
+          :conditions
+        ]
+        validations.each do |key|
+          next if saml_response.send("validate_#{key}")
+
+          flash[:alert] = t(".#{key}")
+          return redirect_to after_omniauth_failure_path_for(resource_name)
+        end
+
+        super
+      end
+
+      # This is overridden method from the Devise controller helpers
+      # This is called when the user is successfully authenticated which means
+      # that we also need to add the authorization for the user automatically
+      # because a succesful Active Directory authentication means the user has
+      # been successfully authorized as well.
+      def sign_in_and_redirect(resource_or_scope, *args)
+        # Add authorization for the user
+        if resource_or_scope.is_a?(::Decidim::User)
+          return fail_authorize unless authorize_user(resource_or_scope)
+
+          # Make sure the user details are up to date
+          authenticator.update_user!(resource_or_scope)
+        end
+
+        super
+      end
+
+      private
+
+      def authorize_user(user)
+        authenticator.authorize_user!(user)
+      rescue Decidim::Msad::Authentication::AuthorizationBoundToOtherUserError
+        nil
+      end
+
+      def fail_authorize(failure_message_key = :already_authorized)
+        flash[:alert] = t(
+          "failure.#{failure_message_key}",
+          scope: "decidim.msad.omniauth_callbacks"
+        )
+
+        redirect_path = stored_location_for(resource || :user) || decidim.root_path
+        if session.delete("decidim-msad.signed_in")
+          params = "?RelayState=#{CGI.escape(redirect_path)}"
+
+          return redirect_to user_msad_omniauth_spslo_path + params
+        end
+
+        redirect_to redirect_path
+      end
+
+      # Needs to be specifically defined because the core engine routes are not
+      # all properly loaded for the view and this helper method is needed for
+      # defining the omniauth registration form's submit path.
+      def omniauth_registrations_path(resource)
+        Decidim::Core::Engine.routes.url_helpers.omniauth_registrations_path(resource)
+      end
+
+      # Private: Create form params from omniauth hash
+      # Since we are using trusted omniauth data we are generating a valid signature.
+      def user_params_from_oauth_hash
+        authenticator.user_params_from_oauth_hash
+      end
+
+      def authenticator
+        @authenticator ||= Decidim::Msad.authenticator_for(
+          current_organization,
+          oauth_hash
+        )
+      end
+
+      def verified_email
+        authenticator.verified_email
+      end
+    end
+  end
+end

data/app/controllers/decidim/msad/sessions_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    class SessionsController < ::Decidim::Devise::SessionsController
+      def destroy
+        # In case the user is signed in through the AD federation server,
+        # redirect them through the SPSLO flow.
+        if session.delete("decidim-msad.signed_in")
+          # These session variables get destroyed along with the user's active
+          # session. They are needed for the SLO request.
+          saml_uid = session["saml_uid"]
+          saml_session_index = session["saml_session_index"]
+          stored_location = stored_location_for(resource_name)
+
+          # End the local user session.
+          signed_out = (::Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+
+          # Store the SAML parameters for the SLO request utilized by
+          # omniauth-saml. These are used to generate a valid SLO request.
+          session["saml_uid"] = saml_uid
+          session["saml_session_index"] = saml_session_index
+          store_location_for(resource_name, stored_location) if stored_location
+
+          # Generate the SLO redirect path and parameters.
+          relay = slo_callback_user_session_path
+          relay += "?success=1" if signed_out
+          params = "?RelayState=#{CGI.escape(relay)}"
+
+          return redirect_to user_msad_omniauth_spslo_path + params
+        end
+
+        # Otherwise, continue normally
+        super
+      end
+
+      def slo
+        # This is handled already by omniauth
+        redirect_to decidim.root_path
+      end
+
+      def spslo
+        # This is handled already by omniauth
+        redirect_to decidim.root_path
+      end
+
+      def slo_callback
+        set_flash_message! :notice, :signed_out if params[:success] == "1"
+
+        # Redirect to the root path when the organization forces users to
+        # authenticate before accessing the organization.
+        return redirect_to(decidim.new_user_session_path) if current_organization.force_users_to_authenticate_before_access_organization
+
+        redirect_to stored_location_for(resource_name) || decidim.root_path
+      end
+    end
+  end
+end

data/app/controllers/decidim/msad/verification/authorizations_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Verification
+      class AuthorizationsController < ::Decidim::ApplicationController
+        skip_before_action :store_current_location
+
+        def new
+          # Do not enforce the permission here because it would cause
+          # re-authorizations not to work as the authorization already exists.
+          # In case the user wants to re-authorize themselves, they can just
+          # hit this endpoint again.
+          redirect_to decidim.user_msad_omniauth_authorize_path
+        end
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,27 @@
+---
+en:
+  decidim:
+    authorization_handlers:
+      msad_identity:
+        explanation: Identify yourself using the Active Directory identity service.
+        name: Active Directory identity
+    msad:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Another user has already authorized themselves with the same identity.
+          conditions: The authentication request was not handled within an allowed timeframe. Please try again.
+          identity_bound_to_other_user: Another user has already been identified using this identity. Please sign out and sign in again directly using Active Directory.
+          invalid_data: You cannot be authenticated through Active Directory.
+          session_expiration: Authentication session expired. Please try again.
+          success_status: Authentication failed or cancelled. Please try again.
+      verification:
+        authorizations:
+          create:
+            success: You have been successfully authorized through Active Directory
+          destroy:
+            success: Authorization sucessfully reset.
+    system:
+      organizations:
+        omniauth_settings:
+          msad:
+            metadata_url: Metadata URL

data/config/locales/fi.yml

@@ -0,0 +1,26 @@
+fi:
+  decidim:
+    authorization_handlers:
+      msad_identity:
+        explanation: Tunnista itsesi Active Directory -tunnistuspalvelun avulla.
+        name: Active Directory tunnistus
+    msad:
+      omniauth_callbacks:
+        failure:
+          already_authorized: Toinen käyttäjä on tunnistanut itsensä jo samalla henkilöllisyydellä.
+          conditions: Tunnistuspyyntöä ei käsitelty sallitun aikarajan sisällä. Yritä uudestaan.
+          identity_bound_to_other_user: Toinen käyttäjä on jo tunnistanut itsensä tällä henkilöllisyydellä. Kirjaudu ulos ja kirjaudu uudestaan sisään käyttäen suoraan Active Directory -tunnistusta.
+          invalid_data: Sinua ei voida tunnistaa Active Directoryn kautta.
+          session_expiration: Tunnistusistunto vanhentui. Yritä uudestaan.
+          success_status: Tunnistus epäonnistui tai peruutettiin. Yritä uudestaan.
+      verification:
+        authorizations:
+          create:
+            success: Sinut on onnistuneesti tunnistettu Active Directory -palvelun avulla
+          destroy:
+            success: Varmennus tyhjennetty onnistuneesti.
+    system:
+      organizations:
+        omniauth_settings:
+          msad:
+            metadata_url: Metadatan osoite (URL)

data/config/locales/sv.yml

@@ -0,0 +1,26 @@
+sv:
+  decidim:
+    authorization_handlers:
+      msad_identity:
+        explanation: Identifiera dig själv med Active Directory -identifikation.
+        name: Active Directory -identifikation
+    msad:
+      omniauth_callbacks:
+        failure:
+          already_authorized: En annan användare har redan godkänt sig med samma identitet.
+          conditions: Autentiseringsbegäran hanterades inte inom en tillåten tidsram. Var god försök igen.
+          identity_bound_to_other_user: En annan användare har redan identifierats med denna identitet. Logga ut och logga in igen direkt med Active Directory.
+          invalid_data: Du kan inte verifieras via Active Directory.
+          session_expiration: Autentiseringssessionen har gått ut. Var god försök igen.
+          success_status: Autentiseringen misslyckades eller avbröts. Var god försök igen.
+      verification:
+        authorizations:
+          create:
+            success: Du har godkänts med Active Directory
+          destroy:
+            success: Tillståndet återställs efterhand.
+    system:
+      organizations:
+        omniauth_settings:
+          msad:
+            metadata_url: Metadata URL

data/lib/decidim/msad.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+require "omniauth"
+require "omniauth/strategies/msad"
+
+require_relative "msad/version"
+require_relative "msad/engine"
+require_relative "msad/authentication"
+require_relative "msad/verification"
+require_relative "msad/mail_interceptors"
+
+module Decidim
+  module Msad
+    include ActiveSupport::Configurable
+
+    @configured = false
+
+    # Defines the auto email domain to generate verified email addresses upon
+    # the user's registration automatically that have format similar to
+    # "msad-identifier@auto-email-domain.fi".
+    #
+    # In case this is not defined, the default is the organization's domain.
+    config_accessor :auto_email_domain
+
+    config_accessor :idp_metadata_url
+    config_accessor :sp_entity_id, instance_reader: false
+
+    # The certificate string for the application
+    config_accessor :certificate, instance_reader: false
+
+    # The private key string for the application
+    config_accessor :private_key, instance_reader: false
+
+    # The certificate file for the application
+    config_accessor :certificate_file
+
+    # The private key file for the application
+    config_accessor :private_key_file
+
+    # Defines how the session gets cleared when the OmniAuth strategy logs the
+    # user out. This has been customized to preserve the flash messages and the
+    # stored redirect location in the session after the session is destroyed.
+    config_accessor :idp_slo_session_destroy do
+      proc do |_env, session|
+        flash = session["flash"]
+        return_to = session["user_return_to"]
+        result = session.clear
+        session["flash"] = flash if flash
+        session["user_return_to"] = return_to if return_to
+        result
+      end
+    end
+
+    # These are extra attributes that can be stored for the authorization
+    # metadata. Define these as follows:
+    #
+    # Decidim::Msad.configure do |config|
+    #   # ...
+    #   config.metadata_attributes = {
+    #     primary_group_sid: "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid",
+    #     groups: { name: "http://schemas.xmlsoap.org/claims/Group", type: :multi }
+    #   }
+    # end
+    config_accessor :metadata_attributes do
+      {}
+    end
+
+    # Extra metadata to be included in the service provider metadata. Define as
+    # follows:
+    #
+    # Decidim::Msad.configure do |config|
+    #   # ...
+    #   config.sp_metadata = [
+    #     {
+    #       name: "Organization",
+    #       children: [
+    #         {
+    #           name: "OrganizationName",
+    #           attributes: { "xml:lang" => "en-US" },
+    #           content: "Acme"
+    #         }
+    #       ]
+    #     }
+    #   ]
+    # end
+    config_accessor :sp_metadata do
+      []
+    end
+
+    # Extra configuration for the omniauth strategy
+    config_accessor :extra do
+      {}
+    end
+
+    # Defines whether registered users are automatically subscribed to the
+    # newsletters during the OmniAuth registration flow. This is only updated
+    # during the first login, so users can still unsubscribe if they later
+    # decide they don't want to receive the newsletter and later logins will not
+    # change the subscription state.
+    config_accessor :registration_newsletter_subscriptions do
+      false
+    end
+
+    # Allows customizing the authorization workflow e.g. for adding custom
+    # workflow options or configuring an action authorizer for the
+    # particular needs.
+    config_accessor :workflow_configurator do
+      lambda do |workflow|
+        # By default, expiration is set to 0 minutes which means it will
+        # never expire.
+        workflow.expires_in = 0.minutes
+      end
+    end
+
+    # Allows customizing parts of the authentication flow such as validating
+    # the authorization data before allowing the user to be authenticated.
+    config_accessor :authenticator_class do
+      Decidim::Msad::Authentication::Authenticator
+    end
+
+    # Allows customizing how the authorization metadata gets collected from
+    # the SAML attributes passed from the authorization endpoint.
+    config_accessor :metadata_collector_class do
+      Decidim::Msad::Verification::MetadataCollector
+    end
+
+    def self.configured?
+      @configured
+    end
+
+    def self.configure
+      @configured = true
+      super
+    end
+
+    def self.authenticator_for(organization, oauth_hash)
+      authenticator_class.new(organization, oauth_hash)
+    end
+
+    def self.sp_entity_id
+      return config.sp_entity_id if config.sp_entity_id
+
+      "#{application_host}/users/auth/msad/metadata"
+    end
+
+    def self.certificate
+      return File.read(certificate_file) if certificate_file
+
+      config.certificate
+    end
+
+    def self.private_key
+      return File.read(private_key_file) if private_key_file
+
+      config.private_key
+    end
+
+    def self.omniauth_settings
+      {
+        idp_metadata_url: idp_metadata_url,
+        sp_entity_id: sp_entity_id,
+        sp_name_qualifier: sp_entity_id,
+        idp_slo_session_destroy: idp_slo_session_destroy,
+        sp_metadata: sp_metadata,
+        certificate: certificate,
+        private_key: private_key,
+        # Define the assertion and SLO URLs for the metadata.
+        assertion_consumer_service_url: "#{application_host}/users/auth/msad/callback",
+        single_logout_service_url: "#{application_host}/users/auth/msad/slo"
+      }.merge(extra)
+    end
+
+    # Used to determine the default service provider entity ID in case not
+    # specifically set by the `sp_entity_id` configuration option.
+    def self.application_host
+      conf = Rails.application.config
+      url_options = conf.action_controller.default_url_options
+      url_options = conf.action_mailer.default_url_options if !url_options || !url_options[:host]
+      url_options ||= {}
+
+      # Note that at least Azure AD requires all callback URLs to be HTTPS, so
+      # we'll default to that.
+      host = url_options[:host]
+      port = url_options[:port]
+      protocol = url_options[:protocol]
+      protocol = port.to_i == 80 ? "http" : "https" if protocol.blank?
+      if host.blank?
+        # Default to local development environment.
+        host = "localhost"
+        port ||= 3000
+      end
+
+      return "#{protocol}://#{host}:#{port}" if port && ![80, 443].include?(port.to_i)
+
+      "#{protocol}://#{host}"
+    end
+  end
+end