openproject/lib/open_project/authentication/strategies/warden/global_basic_auth.rb

require 'warden/basic_auth'

module OpenProject
  module Authentication
    module Strategies
      module Warden
        ##
        # Allows authentication via a singular set of basic auth credentials for admin access.
        #
        # The credentials must be configured in `config/configuration.yml` like this:
        #
        #     production:
        #       authentication:
        #         global_basic_auth:
        #           user: admin
        #           password: 123456
        #
        # The strategy will only be triggered when the configured user name is sent.
        # Meaning that this strategy is skipped if a basic auth attempt involving any
        # other user name is made.
        class GlobalBasicAuth < ::Warden::Strategies::BasicAuth
          def self.configuration
            @configuration ||= configure!
          end

          ##
          # Updates the configuration for this strategy. It's usually called only once, at startup.
          #
          # @param [Hash] config The configuration to be used. Must contain :user and :password.
          # @raise [ArgumentError] Raises an error if the configured user name collides with the
          #                        user name used for UserBasicAuth (apikey) or if the
          #                        provided password is empty.
          # @return [Hash] The new hash set for the configuration or an empty hash if
          #                no configuration was provided.
          def self.configure!(config = openproject_config)
            return {} if config.empty?

            if config[:user] == UserBasicAuth.user
              raise ArgumentError, "global user must not be '#{UserBasicAuth.user}'"
            end

            if config[:password].blank?
              raise ArgumentError, 'password must not be empty'
            end

            @configuration = config
          end

          ##
          # Reads the configuration for this strategy from OpenProject's `configuration.yml`.
          def self.openproject_config
            config = OpenProject::Configuration
            %w(authentication global_basic_auth).inject(config) do |acc, key|
              HashWithIndifferentAccess.new acc[key]
            end
          end

          def self.configuration?
            user && password
          end

          def self.user
            configuration[:user]
          end

          def self.password
            configuration[:password].to_s
          end

          ##
          # Only valid if global basic auth is configured and tried.
          def valid?
            self.class.configuration? && super && username == self.class.user
          end

          def authenticate_user(username, password)
            if username == self.class.user && password == self.class.password
              User.system.tap do |user|
                user.admin = true
              end
            end
          end
        end
      end
    end
  end
end
moved strategies; refactoring 10 years ago			`require 'warden/basic_auth'`

			`module OpenProject`
			`module Authentication`
			`module Strategies`
			`module Warden`
			`##`
			`# Allows authentication via a singular set of basic auth credentials for admin access.`
			`#`
			# The credentials must be configured in `config/configuration.yml` like this:
			`#`
			`# production:`
			`# authentication:`
			`# global_basic_auth:`
			`# user: admin`
			`# password: 123456`
			`#`
			`# The strategy will only be triggered when the configured user name is sent.`
			`# Meaning that this strategy is skipped if a basic auth attempt involving any`
			`# other user name is made.`
			`class GlobalBasicAuth < ::Warden::Strategies::BasicAuth`
			`def self.configuration`
			`@configuration \|\|= configure!`
			`end`

			`##`
			`# Updates the configuration for this strategy. It's usually called only once, at startup.`
			`#`
			`# @param [Hash] config The configuration to be used. Must contain :user and :password.`
			`# @raise [ArgumentError] Raises an error if the configured user name collides with the`
amended comment 10 years ago			`# user name used for UserBasicAuth (apikey) or if the`
			`# provided password is empty.`
			`# @return [Hash] The new hash set for the configuration or an empty hash if`
			`# no configuration was provided.`
moved strategies; refactoring 10 years ago			`def self.configure!(config = openproject_config)`
do nothing when configuration is missing altogether 10 years ago			`return {} if config.empty?`

moved strategies; refactoring 10 years ago			`if config[:user] == UserBasicAuth.user`
			`raise ArgumentError, "global user must not be '#{UserBasicAuth.user}'"`
			`end`

allow digit-only but not empty passwords 10 years ago			`if config[:password].blank?`
Fix syntax (w/Rubocop) in lib code Signed-off-by: Alex Coles <alex@alexbcoles.com> 9 years ago			`raise ArgumentError, 'password must not be empty'`
allow digit-only but not empty passwords 10 years ago			`end`

moved strategies; refactoring 10 years ago			`@configuration = config`
			`end`

			`##`
			# Reads the configuration for this strategy from OpenProject's `configuration.yml`.
			`def self.openproject_config`
			`config = OpenProject::Configuration`
			`%w(authentication global_basic_auth).inject(config) do \|acc, key\|`
			`HashWithIndifferentAccess.new acc[key]`
			`end`
			`end`

			`def self.configuration?`
			`user && password`
			`end`

			`def self.user`
			`configuration[:user]`
			`end`

			`def self.password`
allow digit-only but not empty passwords 10 years ago			`configuration[:password].to_s`
moved strategies; refactoring 10 years ago			`end`

			`##`
			`# Only valid if global basic auth is configured and tried.`
			`def valid?`
			`self.class.configuration? && super && username == self.class.user`
			`end`

			`def authenticate_user(username, password)`
			`if username == self.class.user && password == self.class.password`
			`User.system.tap do \|user\|`
			`user.admin = true`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`