obscured-doorman 0.4.0

data/lib/obscured-doorman/providers/bitbucket/access_token.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Obscured
+  module Doorman
+    module Providers
+      module Bitbucket
+        class AccessToken
+          attr_accessor :access_token
+          attr_accessor :refresh_token
+          attr_accessor :scopes
+          attr_accessor :expires_in
+          attr_accessor :expires_date
+          attr_accessor :emails
+
+          def initialize(attributes = {})
+            @access_token = attributes[:access_token]
+            @refresh_token = attributes[:refresh_token]
+            @scopes = attributes[:scopes]
+            @expires_in = attributes[:expires_in]
+            @expires_date = DateTime.now + expires_in.to_i.seconds
+            @emails = attributes[:emails]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/bitbucket/configuration.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require File.expand_path('../base/configuration', __dir__)
+
+module Obscured
+  module Doorman
+    module Providers
+      module Bitbucket
+        class Configuration < Doorman::Providers::BaseConfiguration
+          def initialize
+            @config_values = {}
+
+            # set default attribute values
+            @defaults = _defaults
+          end
+
+          private
+
+          def _defaults
+            OpenStruct.new(
+              provider: Doorman::Providers::Bitbucket,
+              enabled: false,
+              client_id: nil,
+              client_secret: nil,
+              scopes: 'account',
+              authorize_url: 'https://bitbucket.org/site/oauth2/authorize',
+              token_url: 'https://bitbucket.org/site/oauth2/access_token',
+              login_url: '/doorman/oauth2/bitbucket',
+              redirect_url: '/doorman/oauth2/bitbucket/callback',
+              domains: [],
+              token: nil
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/bitbucket/messages.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Obscured
+  module Doorman
+    module Providers
+      module Bitbucket
+        MESSAGES = {
+          invalid_domain: 'The domain associated with your email address is not whitelisted, please contact system administrator.'
+        }.freeze
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/bitbucket/strategy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'haml'
+require File.expand_path('messages', __dir__)
+
+module Obscured
+  module Doorman
+    module Providers
+      module Bitbucket
+        class Strategy < Warden::Strategies::Base
+          def valid?
+            emails = Bitbucket.configuration[:token].emails
+
+            if Bitbucket.configuration[:domains].nil?
+              return true if emails.length.positive?
+            else
+              return true if valid_domain?
+            end
+
+            fail!(Bitbucket::MESSAGES[:invalid_domain])
+            false
+          end
+
+          def authenticate!
+            user = Doorman::User.where(:username.in => Bitbucket.configuration[:token].emails).first
+
+            if user.nil?
+              fail!(Doorman::MESSAGES[:login_bad_credentials])
+            elsif !user.confirmed
+              user.confirm
+
+              fail!(Doorman::MESSAGES[:login_not_confirmed])
+            else
+              success!(user)
+            end
+          end
+
+          private
+
+          def valid_domain?
+            emails = Bitbucket.configuration[:token].emails || []
+            domains = Bitbucket.configuration[:domains].split(',')
+
+            emails.each do |email|
+              return true unless domains.detect { |domain| email.end_with?(domain) }.nil?
+            end
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/github.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require File.expand_path('github/configuration', __dir__)
+require File.expand_path('github/messages', __dir__)
+require File.expand_path('github/access_token', __dir__)
+require File.expand_path('github/strategy', __dir__)
+
+module Obscured
+  module Doorman
+    module Providers
+      module GitHub
+        class << self
+          # Configuration Object (instance of Obscured::Doorman::Providers::GitHub::Configuration)
+          attr_writer :configuration
+
+          def setup
+            yield(configuration)
+          end
+
+          def configuration
+            @configuration ||= GitHub::Configuration.new
+          end
+
+          def default_configuration
+            configuration.defaults
+          end
+        end
+
+        def self.registered(app)
+          app.helpers Doorman::Base::Helpers
+          app.helpers Doorman::Helpers
+
+          Warden::Strategies.add(:github, GitHub::Strategy)
+
+          app.get '/doorman/oauth2/github' do
+            redirect("#{GitHub.configuration[:authorize_url]}?client_id=#{GitHub.configuration[:client_id]}&response_type=code&scope=#{GitHub.configuration[:scopes]}")
+          end
+
+          app.get '/doorman/oauth2/github/callback/?' do
+            response = RestClient::Request.new(
+              method: :post,
+              url: GitHub.configuration[:token_url],
+              user: GitHub.configuration[:client_id],
+              password: GitHub.configuration[:client_secret],
+              payload: "code=#{params[:code]}&grant_type=authorization_code&scope=#{GitHub.configuration[:scopes]}",
+              headers: { Accept: 'application/json' }
+            ).execute
+
+            json = JSON.parse(response.body)
+            token = GitHub::AccessToken.new(
+              access_token: json['access_token'],
+              token_type: json['token_type'],
+              scope: json['scope']
+            )
+
+            emails = RestClient.get 'https://api.github.com/user/emails', Authorization: "token #{token.access_token}"
+            emails = JSON.parse(emails.body)
+            token.emails = emails.map { |e| e['email'] }
+            GitHub.configuration[:token] = token
+
+            # Authenticate with :github strategy
+            warden.authenticate!(:github)
+          rescue RestClient::ExceptionWithResponse => e
+            message = JSON.parse(e.response)
+            Doorman.logger.error e
+            notify :error, "#{message['error_description']} (#{message['error']})"
+            redirect(Doorman.configuration.paths[:login])
+          ensure
+            # Notify if there are any messages from Warden.
+            notify :error, warden.message unless warden.message.blank?
+
+            redirect(Doorman.configuration.use_referrer && session[:return_to] ? session.delete(:return_to) : Doorman.configuration.paths[:success])
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/github/access_token.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Obscured
+  module Doorman
+    module Providers
+      module GitHub
+        class AccessToken
+          attr_accessor :access_token
+          attr_accessor :token_type
+          attr_accessor :scope
+          attr_accessor :emails
+
+          def initialize(attributes = {})
+            @access_token = attributes[:access_token]
+            @token_type = attributes[:token_type]
+            @scopes = attributes[:scopes]
+            @emails = attributes[:emails]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/github/configuration.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require File.expand_path('../base/configuration', __dir__)
+
+module Obscured
+  module Doorman
+    module Providers
+      module GitHub
+        class Configuration < Doorman::Providers::BaseConfiguration
+          def initialize
+            @config_values = {}
+
+            # set default attribute values
+            @defaults = _defaults
+          end
+
+          private
+
+          def _defaults
+            OpenStruct.new(
+              provider: Doorman::Providers::GitHub,
+              enabled: false,
+              client_id: nil,
+              client_secret: nil,
+              scopes: 'user:email',
+              authorize_url: 'https://github.com/login/oauth/authorize',
+              token_url: 'https://github.com/login/oauth/access_token',
+              login_url: '/doorman/oauth2/github',
+              redirect_url: '/doorman/oauth2/github/callback',
+              domains: [],
+              token: nil
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/github/messages.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Obscured
+  module Doorman
+    module Providers
+      module GitHub
+        MESSAGES = {
+          invalid_domain: 'The domain associated with your email address is not whitelisted, please contact system administrator.'
+        }.freeze
+      end
+    end
+  end
+end

data/lib/obscured-doorman/providers/github/strategy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'haml'
+require File.expand_path('messages', __dir__)
+
+module Obscured
+  module Doorman
+    module Providers
+      module GitHub
+        class Strategy < Warden::Strategies::Base
+          def valid?
+            emails = GitHub.configuration[:token].emails
+
+            if GitHub.configuration[:domains].nil?
+              return true if emails.length.positive?
+            else
+              return true if valid_domain?
+            end
+
+            fail!(GitHub::MESSAGES[:invalid_domain])
+            false
+          end
+
+          def authenticate!
+            user = Doorman::User.where(:username.in => GitHub.configuration[:token].emails).first
+
+            if user.nil?
+              fail!(Doorman::MESSAGES[:login_bad_credentials])
+            elsif !user.confirmed
+              user.confirm
+
+              fail!(Doorman::MESSAGES[:login_not_confirmed])
+            else
+              success!(user)
+            end
+          end
+
+          private
+
+          def valid_domain?
+            emails = GitHub.configuration[:token].emails || []
+            domains = GitHub.configuration[:domains].split(',')
+
+            emails.each do |email|
+              return true unless domains.detect { |domain| email.end_with?(domain) }.nil?
+            end
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/obscured-doorman/strategies/forgot_password.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+module Obscured
+  module Doorman
+    module Strategies
+      module ForgotPassword
+        def self.registered(app)
+          Warden::Manager.after_authentication do |user, auth, _opts|
+            # If the user requested a new password,
+            # but then remembers and logs in,
+            # then invalidate password reset token
+            user.remembered_password! if auth.winning_strategy.is_a?(Doorman::Strategies::Password)
+          end
+
+          app.get '/doorman/forgot/?' do
+            redirect(Doorman.configuration.paths[:success]) if authenticated?
+
+            email = cookies[:email]
+            email = params[:email] if email.nil?
+
+            haml :forgot, locals: { email: email }
+          end
+
+          app.post '/doorman/forgot' do
+            redirect(Doorman.configuration.paths[:success]) if authenticated?
+            redirect(Doorman.configuration.paths[:login]) unless params[:user]
+
+            user = User.where(username: params[:user][:username]).first
+            if user.nil?
+              notify :error, :forgot_no_user
+              redirect(back)
+            else
+              if user.role.to_sym == Doorman::Roles::SYSTEM
+                notify :error, :reset_system_user
+                redirect(Doorman.configuration.paths[:forgot])
+              end
+
+              token = user.forgot_password!
+              if token.nil? && !token&.type.eql?(:password)
+                notify :error, :token_not_found
+                redirect(back)
+              end
+              if token&.used?
+                notify :error, :token_used
+                redirect(back)
+              end
+
+              if File.exist?('views/doorman/templates/password_reset.haml')
+                template = haml :'/templates/password_reset', layout: false, locals: {
+                  user: user.username,
+                  link: token_link('reset', token.token)
+                }
+                Doorman::Mailer.new(
+                  to: user.username,
+                  subject: 'Password change request',
+                  text: "We have received a password change request for your account (#{user.username}). " + token_link('reset', token.token),
+                  html: template
+                ).deliver!
+              else
+                Doorman.logger.warn "Template not found (views/doorman/templates/password_reset.haml), account password reset at #{token_link('reset', token.token)}"
+              end
+
+              notify :success, :forgot_success
+              redirect(Doorman.configuration.paths[:login])
+            end
+          end
+
+          app.get '/doorman/reset/:token/?' do
+            redirect(Doorman.configuration.paths[:success]) if authenticated?
+
+            if params[:token].nil? || params[:token].empty?
+              notify :error, :token_not_found
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            token = Token.where(token: params[:token]).first
+            if token.nil?
+              notify :error, :token_not_found
+              redirect(Doorman.configuration.paths[:login])
+            end
+            if token&.used?
+              notify :error, :token_used
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            user = token&.user
+            if user.nil?
+              notify :error, :reset_no_user
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            haml :reset, locals: { token: token.token, email: user&.username }
+          end
+
+          app.post '/doorman/reset' do
+            redirect(Doorman.configuration.paths[:success]) if authenticated?
+            redirect(Doorman.configuration.paths[:login]) unless params[:user]
+
+            token = Token.where(token: params[:user][:token]).first
+            if token.nil?
+              notify :error, :token_not_found
+              redirect(back)
+            end
+            if token&.used?
+              notify :error, :token_used
+              redirect(back)
+            end
+
+            user = token&.user
+            if user.nil?
+              notify :error, :reset_no_user
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            if user&.role&.to_sym == Doorman::Roles::SYSTEM
+              notify :error, :reset_system_user
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            success = user&.reset_password!(
+              params[:user][:password],
+              params[:user][:token]
+            )
+
+            if success && File.exist?('views/doorman/templates/password_confirmation.haml')
+              position = Geocoder.search(request.ip)
+              template = haml :'/templates/password_confirmation', layout: false, locals: {
+                user: user&.username,
+                browser: "#{request&.browser} #{request&.browser_version}",
+                location: "#{position&.first&.city},#{position&.first&.country}",
+                ip: request&.ip,
+                system: "#{request&.os} #{request&.os_version}"
+              }
+              Doorman::Mailer.new(
+                to: user&.username,
+                subject: 'Password change confirmation',
+                text: "The password for your account (#{user&.username}) was recently changed. This change was made from the following device or browser from: ",
+                html: template
+              ).deliver!
+            else
+              Doorman.logger.warn "Template not found (views/doorman/templates/password_confirmation.haml) The password for your account (#{user&.username}) was recently changed."
+
+              notify :error, :reset_unmatched_passwords
+              redirect(Doorman.configuration.paths[:login])
+            end
+
+            user&.confirm!
+            warden.set_user(user)
+            notify :success, :reset_success
+
+            redirect(Doorman.configuration.use_referrer && session[:return_to] ? session.delete(:return_to) : Doorman.configuration.paths[:success])
+          end
+        end
+      end
+    end
+  end
+end