From 04fef7b8886bb78f3473e143894a521ca578f1db Mon Sep 17 00:00:00 2001 From: Alexander Date: Fri, 2 Feb 2018 10:18:55 +0100 Subject: pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style --- app/models/user.rb | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) (limited to 'app/models') diff --git a/app/models/user.rb b/app/models/user.rb index 40c298b1a..fa4ebfc71 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -34,6 +34,7 @@ # disabled :boolean default(FALSE), not null # moderator :boolean default(FALSE), not null # invite_id :integer +# remember_token :string # class User < ApplicationRecord @@ -50,6 +51,8 @@ class User < ApplicationRecord devise :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable + devise :pam_authenticatable + belongs_to :account, inverse_of: :user belongs_to :invite, counter_cache: :uses, optional: true accepts_nested_attributes_for :account @@ -84,6 +87,33 @@ class User < ApplicationRecord attr_accessor :invite_code + def pam_conflict(_) + # block pam login tries on traditional account + nil + end + + def pam_conflict? + return false unless Devise.pam_authentication + encrypted_password.present? && is_pam_account? + end + + def pam_get_name + return account.username if account.present? + super + end + + def pam_setup(_attributes) + acc = Account.new(username: pam_get_name) + acc.save!(validate: false) + + self.email = "#{acc.username}@#{find_pam_suffix}" if email.nil? && find_pam_suffix + self.confirmed_at = Time.now.utc + self.admin = false + self.account = acc + + acc.destroy! unless save + end + def confirmed? confirmed_at.present? end @@ -213,6 +243,45 @@ class User < ApplicationRecord @invite_code = code end + def password_required? + return false if Devise.pam_authentication + super + end + + def send_reset_password_instructions + return false if encrypted_password.blank? && Devise.pam_authentication + super + end + + def reset_password!(new_password, new_password_confirmation) + return false if encrypted_password.blank? && Devise.pam_authentication + super + end + + def self.pam_get_user(attributes = {}) + if attributes[:email] + resource = + if Devise.check_at_sign && !attributes[:email].index('@') + joins(:account).find_by(accounts: { username: attributes[:email] }) + else + find_by(email: attributes[:email]) + end + + if resource.blank? + resource = new(email: attributes[:email]) + if Devise.check_at_sign && !resource[:email].index('@') + resource[:email] = "#{attributes[:email]}@#{resource.find_pam_suffix}" + end + end + resource + end + end + + def self.authenticate_with_pam(attributes = {}) + return nil unless Devise.pam_authentication + super + end + protected def send_devise_notification(notification, *args) -- cgit