## # If OPENPROJECT_AUTH__SOURCE__SSO_HEADER and OPENPROJECT_AUTH__SOURCE__SSO_SECRET are # configured OpenProject will login the user given in the HTTP header with the given name # together with the secret in the form of `login:$secret`. module AuthSourceSSO def find_current_user user = super return user if user || sso_in_progress! if login = read_sso_login user = find_user_from_auth_source(login) || create_user_from_auth_source(login) handle_sso_for! user, login end end def read_sso_login return nil unless header_name && secret login, given_secret = String(request.headers[header_name]).split(":") login if valid_credentials? login, given_secret end def sso_config @sso_config ||= OpenProject::Configuration.auth_source_sso.try(:with_indifferent_access) end def header_name sso_config && sso_config[:header] end def secret sso_config && sso_config[:secret] end def valid_credentials?(login, secret) !invalid_credentials?(login, secret) end def invalid_credentials?(login, secret) if secret != self.secret.to_s Rails.logger.error( "Secret contained in auth source SSO header not valid. " + "(#{header_name}: #{request.headers[header_name]})" ) true elsif login.nil? Rails.logger.error( "No login contained in auth source SSO header. " + "(#{header_name}: #{request.headers[header_name]})" ) true end end def find_user_from_auth_source(login) User.where(login: login).where.not(auth_source_id: nil).first end def create_user_from_auth_source(login) if attrs = AuthSource.find_user(login) # login is both safe and protected in chilis core code # in case it's intentional we keep it that way user = User.new attrs.except(:login) user.login = login user.language = Setting.default_language save_user! user user end end def save_user!(user) if user.save user.reload if logger && user.auth_source logger.info( "User '#{user.login}' created from external auth source: " + "#{user.auth_source.type} - #{user.auth_source.name}" ) end end end def sso_in_progress! sso_failure_in_progress! || session[:auth_source_registration] end def sso_failure_in_progress! failure = session[:auth_source_sso_failure] if failure if failure[:ttl] > 0 session[:auth_source_sso_failure] = failure.merge(ttl: failure[:ttl] - 1) else session.delete :auth_source_sso_failure nil end end end def sso_login_failed?(user) user.nil? || user.new_record? || !user.active? end def handle_sso_for!(user, login) if sso_login_failed?(user) handle_sso_failure! user, login else # valid user handle_sso_success user end end def handle_sso_success(user) session[:user_id] = user.id user end def handle_sso_failure!(user, login) session[:auth_source_sso_failure] = { user: user, login: login, back_url: request.base_url + request.original_fullpath, ttl: 1 } redirect_to sso_failure_path end end