diff options
| author | Ghislain Loaec <gloaec@cadoles.com> | 2018-02-22 23:31:25 +0100 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2018-02-22 23:31:25 +0100 |
| commit | 3084fe49595f44152e9835bded7490bf84d8edef (patch) | |
| tree | 528ad7c8fece6f5049361572011db050645107f2 | |
| parent | b8535ad4df089166f1cae2cf61e55060223a2671 (diff) | |
New env variable: SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED + fixes #6533 (#6538)
| -rw-r--r-- | .env.production.sample | 3 | ||||
| -rw-r--r-- | app/models/concerns/omniauthable.rb | 6 | ||||
| -rw-r--r-- | config/initializers/omniauth.rb | 3 |
3 files changed, 10 insertions, 2 deletions
diff --git a/.env.production.sample b/.env.production.sample index 38f7326f0..06606ff25 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -184,7 +184,10 @@ STREAMING_CLUSTER_NUM=1 # SAML_PRIVATE_KEY= # SAML_SECURITY_WANT_ASSERTION_SIGNED=true # SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true +# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true # SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" # SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" # SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.5.4.42" # SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= diff --git a/app/models/concerns/omniauthable.rb b/app/models/concerns/omniauthable.rb index a3d55108d..7a396e301 100644 --- a/app/models/concerns/omniauthable.rb +++ b/app/models/concerns/omniauthable.rb @@ -53,8 +53,10 @@ module Omniauthable private def user_params_from_auth(auth) - email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email) - email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email) + assume_verified = Devise.omniauth_configs[:saml].strategy.security.assume_email_is_verified + email_is_verified = auth.info.verified || auth.info.verified_email || assume_verified + email = auth.info.verified_email || auth.info.email + email = email_is_verified && !User.exists?(email: auth.info.email) && email { email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com", diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 97f32c0a4..1b650ad09 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -48,10 +48,13 @@ Devise.setup do |config| saml_options[:security] = {} saml_options[:security][:want_assertions_signed] = ENV['SAML_SECURITY_WANT_ASSERTION_SIGNED'] == 'true' saml_options[:security][:want_assertions_encrypted] = ENV['SAML_SECURITY_WANT_ASSERTION_ENCRYPTED'] == 'true' + saml_options[:security][:assume_email_is_verified] = ENV['SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true' saml_options[:attribute_statements] = {} saml_options[:attribute_statements][:uid] = [ENV['SAML_ATTRIBUTES_STATEMENTS_UID']] if ENV['SAML_ATTRIBUTES_STATEMENTS_UID'] saml_options[:attribute_statements][:email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL'] saml_options[:attribute_statements][:full_name] = [ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME'] + saml_options[:attribute_statements][:verified] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED'] + saml_options[:attribute_statements][:verified_email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL'] saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE'] config.omniauth :saml, saml_options end |