decidim-msad 0.22.0

data/lib/decidim/msad/authentication.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "authentication/authenticator"
+require_relative "authentication/errors"

data/lib/decidim/msad/authentication/authenticator.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Authentication
+      class Authenticator
+        include ActiveModel::Validations
+
+        def initialize(organization, oauth_hash)
+          @organization = organization
+          @oauth_hash = oauth_hash
+          @new_user = false
+        end
+
+        def verified_email
+          @verified_email ||= begin
+            if oauth_data[:info][:email]
+              oauth_data[:info][:email]
+            else
+              domain = ::Decidim::Msad.auto_email_domain || organization.host
+              "msad-#{person_identifier_digest}@#{domain}"
+            end
+          end
+        end
+
+        def user_params_from_oauth_hash
+          return nil if oauth_data.empty?
+          return nil if user_identifier.blank?
+
+          {
+            provider: oauth_data[:provider],
+            uid: user_identifier,
+            name: oauth_data[:info][:name],
+            # The nickname is automatically "parametrized" by Decidim core from
+            # the name string, i.e. it will be in correct format.
+            nickname: oauth_data[:info][:nickname] || oauth_data[:info][:name],
+            oauth_signature: user_signature,
+            avatar_url: oauth_data[:info][:image],
+            raw_data: oauth_hash
+          }
+        end
+
+        # Validate gets run very early in the authentication flow as it's the
+        # first method to call before anything else is done. The purpose of this
+        # method is to check that the authentication data returned by the AD
+        # federation service is valid and contains all the information that we
+        # would expect. Therefore, it "validates" that the authentication can
+        # be performed.
+        def validate!
+          raise ValidationError, "No SAML data provided" unless saml_attributes
+
+          actual_attributes = saml_attributes.attributes
+          actual_attributes.delete("fingerprint")
+          raise ValidationError, "No SAML data provided" if actual_attributes.blank?
+
+          data_blank = actual_attributes.all? { |_k, val| val.blank? }
+          raise ValidationError, "Invalid SAML data" if data_blank
+          raise ValidationError, "Invalid person dentifier" if person_identifier_digest.blank?
+
+          # Check if there is already an existing identity which is bound to an
+          # existing user record. If the identity is not found or the user
+          # record bound to that identity no longer exists, the signed in user
+          # is a new user.
+          id = ::Decidim::Identity.find_by(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+          @new_user = id ? id.user.blank? : true
+
+          true
+        end
+
+        # User is only identified in case they were already logged in during the
+        # authentication flow. This can happen in case the service allows public
+        # registrations and authorization through MSAD is enabled in the user's
+        # profile. This adds a new identity to an existing user unless the
+        # identity is already bound to another user profile which would happen
+        # e.g. in the following situation:
+        #
+        # - The user registered to the service through OmniAuth for the first
+        #   time using this OmniAuth identity.
+        # - Next time they came to the service, they created a new user account
+        #   in Decidim using the registration form with another email address.
+        # - Now, they sign in to the service using the manually created account.
+        # - They go to the authorization view to authorize themselves through
+        #   MSAD (which adds the authorization metadata information that might
+        #   be required in order to perform actions).
+        # - Now the person has two accounts, one of which is already bound to a
+        #   user's OmniAuth identity.
+        # - There is a conflict because we cannot bind the same identity to two
+        #   different user profiles (which could lead to thefts).
+        # - This method will notice it and the OmniAuth login information will
+        #   not be stored to the user's authorization metadata.
+        def identify_user!(user)
+          identity = user.identities.find_by(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+          return identity if identity
+
+          # Check that the identity is not already bound to another user.
+          id = ::Decidim::Identity.find_by(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+
+          raise IdentityBoundToOtherUserError if id
+
+          user.identities.create!(
+            organization: organization,
+            provider: oauth_data[:provider],
+            uid: user_identifier
+          )
+        end
+
+        # The authorize_user! method will be performed when the sign in attempt
+        # has been verified and the user has been identified or alternatively a
+        # new identity has been created to them. The possibly configured SAML
+        # attributes are stored against the authorization making it possible to
+        # add action authorizer conditions based on the information passed from
+        # AD. E.g. some processes might be only limited to specific users within
+        # the organization belonging to a specific group.
+        def authorize_user!(user)
+          authorization = ::Decidim::Authorization.find_by(
+            name: "msad_identity",
+            unique_id: user_signature
+          )
+          if authorization
+            raise AuthorizationBoundToOtherUserError if authorization.user != user
+          else
+            authorization = ::Decidim::Authorization.find_or_initialize_by(
+              name: "msad_identity",
+              user: user
+            )
+          end
+
+          authorization.attributes = {
+            unique_id: user_signature,
+            metadata: authorization_metadata
+          }
+          authorization.save!
+
+          # This will update the "granted_at" timestamp of the authorization
+          # which will postpone expiration on re-authorizations in case the
+          # authorization is set to expire (by default it will not expire).
+          authorization.grant!
+
+          authorization
+        end
+
+        # Keeps the user data in sync with the federation server after
+        # everything else is done and the user is just aboud to be redirected
+        # further to the next page after the successful login. This is called on
+        # every successful login callback request.
+        def update_user!(user)
+          user_changed = false
+          if user.email != verified_email
+            user_changed = true
+            user.email = verified_email
+            user.skip_reconfirmation!
+          end
+          user.newsletter_notifications_at = Time.now if user_newsletter_subscription?(user)
+
+          user.save! if user_changed
+        end
+
+        protected
+
+        attr_reader :organization, :oauth_hash
+
+        def user_newsletter_subscription?(user)
+          return false unless @new_user
+
+          # Return if newsletter subscriptions are not configured
+          return false unless ::Decidim::Msad.registration_newsletter_subscriptions
+
+          user.newsletter_notifications_at.nil?
+        end
+
+        def oauth_data
+          @oauth_data ||= oauth_hash.slice(:provider, :uid, :info)
+        end
+
+        def saml_attributes
+          @saml_attributes ||= oauth_hash[:extra][:raw_info]
+        end
+
+        def user_identifier
+          @user_identifier ||= oauth_data[:uid]
+        end
+
+        # Create a unique signature for the user that will be used for the
+        # granted authorization.
+        def user_signature
+          @user_signature ||= ::Decidim::OmniauthRegistrationForm.create_signature(
+            oauth_data[:provider],
+            user_identifier
+          )
+        end
+
+        def metadata_collector
+          @metadata_collector ||= ::Decidim::Msad::Verification::Manager.metadata_collector_for(
+            saml_attributes
+          )
+        end
+
+        # Data that is stored against the authorization "permanently" (i.e. as
+        # long as the authorization is valid).
+        def authorization_metadata
+          metadata_collector.metadata
+        end
+
+        # Digested format of the person's identifier to be used in the
+        # auto-generated emails. This is used so that the actual identifier is not
+        # revealed directly to the end user.
+        def person_identifier_digest
+          return if user_identifier.blank?
+
+          @person_identifier_digest ||= Digest::MD5.hexdigest(
+            "MSAD:#{user_identifier}:#{Rails.application.secrets.secret_key_base}"
+          )
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/authentication/errors.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Authentication
+      class Error < StandardError; end
+
+      class AuthorizationBoundToOtherUserError < Error; end
+      class IdentityBoundToOtherUserError < Error; end
+
+      class ValidationError < Error
+        attr_reader :validation_key
+
+        def initialize(msg = nil, validation_key = :invalid_data)
+          @validation_key = validation_key
+          super(msg)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/engine.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    class Engine < ::Rails::Engine
+      isolate_namespace Decidim::Msad
+
+      routes do
+        devise_scope :user do
+          # Manually map the SAML omniauth routes for Devise because the default
+          # routes are mounted by core Decidim. This is because we want to map
+          # these routes to the local callbacks controller instead of the
+          # Decidim core.
+          # See: https://git.io/fjDz1
+          match(
+            "/users/auth/msad",
+            to: "omniauth_callbacks#passthru",
+            as: "user_msad_omniauth_authorize",
+            via: [:get, :post]
+          )
+
+          match(
+            "/users/auth/msad/callback",
+            to: "omniauth_callbacks#msad",
+            as: "user_msad_omniauth_callback",
+            via: [:get, :post]
+          )
+
+          # Add the SLO and SPSLO paths to be able to pass these requests to
+          # OmniAuth.
+          match(
+            "/users/auth/msad/slo",
+            to: "sessions#slo",
+            as: "user_msad_omniauth_slo",
+            via: [:get, :post]
+          )
+
+          match(
+            "/users/auth/msad/spslo",
+            to: "sessions#spslo",
+            as: "user_msad_omniauth_spslo",
+            via: [:get, :post]
+          )
+
+          # Manually map the sign out path in order to control the sign out
+          # flow through OmniAuth when the user signs out from the service.
+          # In these cases, the user needs to be also signed out from the AD
+          # federation server which is handled by the OmniAuth strategy.
+          match(
+            "/users/sign_out",
+            to: "sessions#destroy",
+            as: "destroy_user_session",
+            via: [:delete, :post]
+          )
+
+          # This is the callback route after a returning from a successful sign
+          # out request through OmniAuth.
+          match(
+            "/users/slo_callback",
+            to: "sessions#slo_callback",
+            as: "slo_callback_user_session",
+            via: [:get]
+          )
+        end
+      end
+
+      initializer "decidim_msad.mount_routes", before: :add_routing_paths do
+        # Mount the engine routes to Decidim::Core::Engine because otherwise
+        # they would not get mounted properly. Note also that we need to prepend
+        # the routes in order for them to override Decidim's own routes for the
+        # "msad" authentication.
+        Decidim::Core::Engine.routes.prepend do
+          mount Decidim::Msad::Engine => "/"
+        end
+      end
+
+      initializer "decidim_msad.setup", before: "devise.omniauth" do
+        next unless Decidim::Msad.configured?
+
+        # Configure the SAML OmniAuth strategy for Devise
+        ::Devise.setup do |config|
+          config.omniauth(
+            :msad,
+            Decidim::Msad.omniauth_settings
+          )
+        end
+
+        # Customized version of Devise's OmniAuth failure app in order to handle
+        # the failures properly. Without this, the failure requests would end
+        # up in an ActionController::InvalidAuthenticityToken exception.
+        devise_failure_app = OmniAuth.config.on_failure
+        OmniAuth.config.on_failure = proc do |env|
+          if env["PATH_INFO"] =~ %r{^/users/auth/msad(/.*)?}
+            env["devise.mapping"] = ::Devise.mappings[:user]
+            Decidim::Msad::OmniauthCallbacksController.action(
+              :failure
+            ).call(env)
+          else
+            # Call the default for others.
+            devise_failure_app.call(env)
+          end
+        end
+      end
+
+      initializer "decidim_msad.mail_interceptors" do
+        ActionMailer::Base.register_interceptor(
+          MailInterceptors::GeneratedRecipientsInterceptor
+        )
+      end
+    end
+  end
+end

data/lib/decidim/msad/mail_interceptors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module MailInterceptors
+      autoload :GeneratedRecipientsInterceptor, "decidim/msad/mail_interceptors/generated_recipients_interceptor"
+    end
+  end
+end

data/lib/decidim/msad/mail_interceptors/generated_recipients_interceptor.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module MailInterceptors
+      # Prevents sending emails to the auto-generated email addresses.
+      class GeneratedRecipientsInterceptor
+        def self.delivering_email(message)
+          return unless Decidim::Msad.auto_email_domain
+
+          # Regexp to match the auto-generated emails
+          regexp = /^msad-[a-z0-9]{32}@#{Decidim::Msad.auto_email_domain}$/
+
+          # Remove the auto-generated email from the message recipients
+          message.to = message.to.reject { |email| email =~ regexp } if message.to
+          message.cc = message.cc.reject { |email| email =~ regexp } if message.cc
+          message.bcc = message.bcc.reject { |email| email =~ regexp } if message.bcc
+
+          # Prevent delivery in case there are no recipients on the email
+          message.perform_deliveries = false if message.to.empty?
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/test/runtime.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "webmock"
+
+module Decidim
+  module Msad
+    module Test
+      class Runtime
+        # Ability to stub the requests already in the control class
+        include WebMock::API
+
+        def self.initializer(&block)
+          @block = block
+        end
+
+        def self.initialize
+          new.instance_initialize(&@block)
+        end
+
+        def self.load_app
+          engine_spec_dir = File.join(Dir.pwd, "spec")
+
+          require "#{Decidim::Dev.dummy_app_path}/config/environment"
+
+          Dir["#{engine_spec_dir}/shared/**/*.rb"].each { |f| require f }
+
+          require "paper_trail/frameworks/rspec"
+
+          require "decidim/dev/test/spec_helper"
+        end
+
+        def instance_initialize
+          yield self if block_given?
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/verification.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "verification/metadata_collector"
+require_relative "verification/manager"
+require_relative "verification/engine"