Commit 057c4b78 authored by o@immerda.ch's avatar o@immerda.ch
Browse files

fix fetching account properties and admin auth

* account properties (such as is mail crypt enabled) need to be queried and cannot be provided by auth anymore (since auth is now done through login.i.c)
* if an account is an admin is now supplied by saml property
parent 6086155d
......@@ -75,7 +75,7 @@ class ApplicationController < ActionController::Base
helper_method :any_resources_enabled?
def admin?
@is_admin ||= Admin::Enabled && Admin::Admins.include?(current_user)
@is_admin ||= Admin::Enabled && session[:is_admin]
end
helper_method :admin?
......@@ -124,10 +124,12 @@ class ApplicationController < ActionController::Base
def reset_user_session
session[:user_id] = nil
session[:is_admin] = false
session[:mail_crypt_recovery_token] = nil
reset_session
session[:locale] = I18n.locale
session[:api_token] = nil
update_session_expiry
end
def api_token
......
......@@ -55,16 +55,8 @@ module ApiBackend
end
end
def self.auth(user, pw, handoff, options = {})
if EmailValidation::immerda_email_conform(user)
return post(['auth', if handoff then 'handoff' else 'master' end],
{"email"=>user, "password" => pw}.merge(options))
end
false
end
def self.pre_auth(email)
get(['auth', 'pre_auth'], {'email' => email})
def self.account_properties(email, token)
get(['users', 'properties'], {'email' => email, 'token' => token})
end
def self.app_passwords(email)
......
# This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
class SamlController < ApplicationController
class SamlController < SessionsController
skip_before_action :verify_authenticity_token, :only => [:consume]
def init
......@@ -11,16 +11,13 @@ class SamlController < ApplicationController
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse],
settings: saml_settings)
print response.decrypted_document.to_s
# We validate the SAML Response and check if the user already exists in the system
if response.is_valid?
update_session_expiry
# authorize_success, log the user
session[:user_id] = response.name_id
session[:api_token] = response.attributes[:api_token]
else
flash[:notice] = :login_failed
if successful_auth(response.name_id, response.attributes)
return
end
end
flash[:notice] ||= :login_failed
redirect_to '/'
end
......
......@@ -11,25 +11,73 @@ class SessionsController < ApplicationController
def new
flash[:notice] = nil
reset_user_session
load_page
redirect_to '/saml/init'
end
def authorize
end
def allowed_user?(user)
protected
def successful_auth(email, attributes)
if Admin::Enabled
Admin::Admins.include?(user)
if attributes[:is_admin] == "true"
update_session_expiry
session[:is_admin] = true
session[:user_id] = email
session[:api_token] = attributes[:api_token]
redirect_to '/'
return true
end
else
true
begin
api_token = attributes[:api_token]
res = ApiBackend::account_properties(email, api_token)
if res['mail_crypt_enabled'] &&
res['mail_crypt_recovery_token_present']
flash[:notice] = :recovery_token_hint
elsif res['locked']
flash[:notice] = :locked_account_hint
elsif Zxcvbn.test(@input_pw).score < 2
flash[:notice] = :weak_password_hint
elsif res['mail_crypt_enabled'] &&
!session[:recovery_email_set]
flash[:notice] = :recovery_email_hint
else
flash[:notice] = nil
end
update_session_expiry
# authorize_success, log the user
session[:user_id] = email
session[:api_token] = api_token
session[:mail_crypt_enabled] = res['mail_crypt_enabled']
session[:recovery_email_set] = res['recovery_email_set']
session[:possible_resources] = res['possible_resources']
if session[:original_request]
redirect_to session[:original_request]
return true
else
redirect_to '/'
return true
end
rescue ApiBackend::ApiError => e
flash[:notice] = e.api_msg || :failed
end
end
return false
end
def load_page
page = params[:p] || params[:page]
@routes ||= Rails.application.routes.routes.map{|r| "/#{r.name}"}
if @routes.include?(page)
@page = page
session[:original_request] = page
end
end
end
module Admin
c = ::Config['admin'] || {}
Enabled = c['enabled'] || false
Admins = c['admins'] || []
UsersUrl = c['users_url'] || 'https://users.example.com'
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment