From 04fef7b8886bb78f3473e143894a521ca578f1db Mon Sep 17 00:00:00 2001 From: Alexander Date: Fri, 2 Feb 2018 10:18:55 +0100 Subject: pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style --- config/initializers/devise.rb | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) (limited to 'config/initializers/devise.rb') diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 07912c28b..f2f7f1ba3 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -30,6 +30,19 @@ Warden::Manager.before_logout do |_, warden| warden.cookies.delete('_session_id') end +module Devise + mattr_accessor :pam_authentication + @@pam_authentication = false + mattr_accessor :pam_controlled_service + @@pam_controlled_service = nil + + class Strategies::PamAuthenticatable + def valid? + super && ::Devise.pam_authentication + end + end +end + Devise.setup do |config| config.warden do |manager| manager.default_strategies(scope: :user).unshift :two_factor_authenticatable @@ -96,7 +109,7 @@ Devise.setup do |config| # given strategies, for example, `config.http_authenticatable = [:database]` will # enable it only for database authentication. The supported strategies are: # :database = Support basic authentication with authentication key + password - config.http_authenticatable = [:database] + config.http_authenticatable = [:pam, :database] # If 401 status code should be returned for AJAX requests. True by default. # config.http_authenticatable_on_xhr = true @@ -301,4 +314,23 @@ Devise.setup do |config| # When using OmniAuth, Devise cannot automatically set OmniAuth path, # so you need to do it manually. For the users scope, it would be: # config.omniauth_path_prefix = '/my_engine/users/auth' + + # PAM: only look for email field + config.usernamefield = nil + config.emailfield = "email" + + # authentication with pam possible + # if not enabled, all pam settings are ignored + #config.pam_authentication = true + # check if email is actually a username + config.check_at_sign = true + # suffix for email address generation (warning: without pam must provide email in the pam environment) + config.pam_default_suffix = "pam" + # name of the pam service + # pam "auth" section is evaluated + config.pam_default_service = "rpam" + # name of the pam service used for checking if an user can register + # pam "account" section is evaluated + # nil for allowing registration of pam names (not recommended) + config.pam_controlled_service = "rpam" end -- cgit