CAS + SAML authentication feature (#6425)

* Cas authentication feature

* Config

* Remove class_eval + Omniauth initializer

* Codeclimate review

* Codeclimate review 2

* Codeclimate review 3

* Remove uid/email reconciliation

* SAML authentication

* Clean up code

* Improve login form

* Fix code style issues

* Add locales

5 files changed, 69 insertions, 0 deletions

diff --git a/config/i18n-tasks.yml b/config/i18n-tasks.yml
index 014055804..bcd816d30 100644
--- a/config/i18n-tasks.yml
+++ b/config/i18n-tasks.yml
@@ -46,6 +46,7 @@ ignore_missing:
   - 'terms.body_html'
   - 'application_mailer.salutation'
   - 'errors.500'
+  - 'auth.providers.*'
 
 ignore_unused:
   - 'activemodel.errors.*'
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
new file mode 100644
index 000000000..97f32c0a4
--- /dev/null
+++ b/config/initializers/omniauth.rb
@@ -0,0 +1,59 @@
+Rails.application.config.middleware.use OmniAuth::Builder do
+  # Vanilla omniauth stategies
+end
+
+Devise.setup do |config|
+  # Devise omniauth strategies
+
+  # CAS strategy
+  if ENV['CAS_ENABLED'] == 'true'
+    cas_options = {}
+    cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL']
+    cas_options[:host] = ENV['CAS_HOST'] if ENV['CAS_HOST']
+    cas_options[:port] = ENV['CAS_PORT'] if ENV['CAS_PORT']
+    cas_options[:ssl] = ENV['CAS_SSL'] == 'true' if ENV['CAS_SSL']
+    cas_options[:validate_url] = ENV['CAS_VALIDATE_URL'] if ENV['CAS_VALIDATE_URL']
+    cas_options[:callback_url] = ENV['CAS_CALLBACK_URL'] if ENV['CAS_CALLBACK_URL']
+    cas_options[:logout_url] = ENV['CAS_LOGOUT_URL'] if ENV['CAS_LOGOUT_URL']
+    cas_options[:login_url] = ENV['CAS_LOGIN_URL'] if ENV['CAS_LOGIN_URL']
+    cas_options[:uid_field] = ENV['CAS_UID_FIELD'] || 'user' if ENV['CAS_UID_FIELD']
+    cas_options[:ca_path] = ENV['CAS_CA_PATH'] if ENV['CAS_CA_PATH']
+    cas_options[:disable_ssl_verification] = ENV['CAS_DISABLE_SSL_VERIFICATION'] == 'true' if ENV['CAS_DISABLE_SSL_VERIFICATION']
+    cas_options[:uid_key] = ENV['CAS_UID_KEY'] || 'user'
+    cas_options[:name_key] = ENV['CAS_NAME_KEY'] || 'name'
+    cas_options[:email_key] = ENV['CAS_EMAIL_KEY'] || 'email'
+    cas_options[:nickname_key] = ENV['CAS_NICKNAME_KEY'] || 'nickname'
+    cas_options[:first_name_key] = ENV['CAS_FIRST_NAME_KEY'] || 'firstname'
+    cas_options[:last_name_key] = ENV['CAS_LAST_NAME_KEY'] || 'lastname'
+    cas_options[:location_key] = ENV['CAS_LOCATION_KEY'] || 'location'
+    cas_options[:image_key] = ENV['CAS_IMAGE_KEY'] || 'image'
+    cas_options[:phone_key] = ENV['CAS_PHONE_KEY'] || 'phone'
+    config.omniauth :cas, cas_options
+  end
+
+  # SAML strategy
+  if ENV['SAML_ENABLED'] == 'true'
+    saml_options = {}
+    saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL']
+    saml_options[:issuer] = ENV['SAML_ISSUER'] if ENV['SAML_ISSUER']
+    saml_options[:idp_sso_target_url] = ENV['SAML_IDP_SSO_TARGET_URL']  if ENV['SAML_IDP_SSO_TARGET_URL']
+    saml_options[:idp_sso_target_url_runtime_params] = ENV['SAML_IDP_SSO_TARGET_PARAMS'] if ENV['SAML_IDP_SSO_TARGET_PARAMS'] # FIXME: Should be parsable Hash
+    saml_options[:idp_cert] = ENV['SAML_IDP_CERT'] if ENV['SAML_IDP_CERT']
+    saml_options[:idp_cert_fingerprint] = ENV['SAML_IDP_CERT_FINGERPRINT'] if ENV['SAML_IDP_CERT_FINGERPRINT']
+    saml_options[:idp_cert_fingerprint_validator] = ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] if ENV['SAML_IDP_CERT_FINGERPRINT_VALIDATOR'] # FIXME: Should be Lambda { |fingerprint| }
+    saml_options[:name_identifier_format] = ENV['SAML_NAME_IDENTIFIER_FORMAT'] if ENV['SAML_NAME_IDENTIFIER_FORMAT']
+    saml_options[:request_attributes] = {}
+    saml_options[:certificate] = ENV['SAML_CERT'] if ENV['SAML_CERT']
+    saml_options[:private_key] = ENV['SAML_PRIVATE_KEY'] if ENV['SAML_PRIVATE_KEY']
+    saml_options[:security] = {}
+    saml_options[:security][:want_assertions_signed] = ENV['SAML_SECURITY_WANT_ASSERTION_SIGNED'] == 'true'
+    saml_options[:security][:want_assertions_encrypted] = ENV['SAML_SECURITY_WANT_ASSERTION_ENCRYPTED'] == 'true'
+    saml_options[:attribute_statements] = {}
+    saml_options[:attribute_statements][:uid] = [ENV['SAML_ATTRIBUTES_STATEMENTS_UID']] if ENV['SAML_ATTRIBUTES_STATEMENTS_UID']
+    saml_options[:attribute_statements][:email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']
+    saml_options[:attribute_statements][:full_name] = [ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']
+    saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE']
+    config.omniauth :saml, saml_options
+  end
+
+end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index cd6138ff2..6805a6e87 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -355,6 +355,7 @@ en:
   auth:
     agreement_html: By signing up you agree to follow <a href="%{rules_path}">the rules of the instance</a> and <a href="%{terms_path}">our terms of service</a>.
     change_password: Security
+    confirm_email: Confirm email
     delete_account: Delete account
     delete_account_html: If you wish to delete your account, you can <a href="%{path}">proceed here</a>. You will be asked for confirmation.
     didnt_get_confirmation: Didn't receive confirmation instructions?
@@ -364,6 +365,10 @@ en:
     logout: Logout
     migrate_account: Move to a different account
     migrate_account_html: If you wish to redirect this account to a different one, you can <a href="%{path}">configure it here</a>.
+    or_log_in_with: Or log in with
+    providers:
+      cas: CAS
+      saml: SAML
     register: Sign up
     resend_confirmation: Resend confirmation instructions
     reset_password: Reset password
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index 3ad535f28..f0fc07f7a 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -355,6 +355,7 @@ fr:
   auth:
     agreement_html: En vous inscrivant, vous souscrivez <a href="%{rules_path}">aux règles de l’instance</a> et à <a href="%{terms_path}">nos conditions d’utilisation</a>.
     change_password: Sécurité
+    confirm_email: Confirmer mon adresse mail
     delete_account: Supprimer le compte
     delete_account_html: Si vous désirez supprimer votre compte, vous pouvez <a href="%{path}">cliquer ici</a>. Il vous sera demandé de confirmer cette action.
     didnt_get_confirmation: Vous n’avez pas reçu les consignes de confirmation ?
@@ -364,6 +365,7 @@ fr:
     logout: Se déconnecter
     migrate_account: Déplacer vers un compte différent
     migrate_account_html: Si vous voulez rediriger ce compte vers un autre, vous pouvez le <a href="%{path}">configurer ici</a>.
+    or_log_in_with: Ou authentifiez-vous avec
     register: S’inscrire
     resend_confirmation: Envoyer à nouveau les consignes de confirmation
     reset_password: Réinitialiser le mot de passe
diff --git a/config/routes.rb b/config/routes.rb
index 80a2c6d13..34f33fa95 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -24,9 +24,11 @@ Rails.application.routes.draw do
 
   devise_scope :user do
     get '/invite/:invite_code', to: 'auth/registrations#new', as: :public_invite
+    match '/auth/finish_signup' => 'auth/confirmations#finish_signup', via: [:get, :patch], as: :finish_signup
   end
 
   devise_for :users, path: 'auth', controllers: {
+    omniauth_callbacks: 'auth/omniauth_callbacks',
     sessions:           'auth/sessions',
     registrations:      'auth/registrations',
     passwords:          'auth/passwords',