From 02856073f74c3615c016cb26018b16bae3d0deee Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 20 Feb 2018 17:25:16 +0100 Subject: Fix #6509: Use pull queue for chewy jobs (#6513) --- config/initializers/chewy.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'config/initializers') diff --git a/config/initializers/chewy.rb b/config/initializers/chewy.rb index 702f7516c..d5347f2bf 100644 --- a/config/initializers/chewy.rb +++ b/config/initializers/chewy.rb @@ -9,6 +9,7 @@ Chewy.settings = { prefix: prefix, enabled: enabled, journal: false, + sidekiq: { queue: 'pull' }, } Chewy.root_strategy = enabled ? :sidekiq : :bypass -- cgit From 3084fe49595f44152e9835bded7490bf84d8edef Mon Sep 17 00:00:00 2001 From: Ghislain Loaec Date: Thu, 22 Feb 2018 23:31:25 +0100 Subject: New env variable: SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED + fixes #6533 (#6538) --- .env.production.sample | 3 +++ app/models/concerns/omniauthable.rb | 6 ++++-- config/initializers/omniauth.rb | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) (limited to 'config/initializers') diff --git a/.env.production.sample b/.env.production.sample index 38f7326f0..06606ff25 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -184,7 +184,10 @@ STREAMING_CLUSTER_NUM=1 # SAML_PRIVATE_KEY= # SAML_SECURITY_WANT_ASSERTION_SIGNED=true # SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true +# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true # SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" # SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" # SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.5.4.42" # SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= diff --git a/app/models/concerns/omniauthable.rb b/app/models/concerns/omniauthable.rb index a3d55108d..7a396e301 100644 --- a/app/models/concerns/omniauthable.rb +++ b/app/models/concerns/omniauthable.rb @@ -53,8 +53,10 @@ module Omniauthable private def user_params_from_auth(auth) - email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email) - email = auth.info.email if email_is_verified && !User.exists?(email: auth.info.email) + assume_verified = Devise.omniauth_configs[:saml].strategy.security.assume_email_is_verified + email_is_verified = auth.info.verified || auth.info.verified_email || assume_verified + email = auth.info.verified_email || auth.info.email + email = email_is_verified && !User.exists?(email: auth.info.email) && email { email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com", diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 97f32c0a4..1b650ad09 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -48,10 +48,13 @@ Devise.setup do |config| saml_options[:security] = {} saml_options[:security][:want_assertions_signed] = ENV['SAML_SECURITY_WANT_ASSERTION_SIGNED'] == 'true' saml_options[:security][:want_assertions_encrypted] = ENV['SAML_SECURITY_WANT_ASSERTION_ENCRYPTED'] == 'true' + saml_options[:security][:assume_email_is_verified] = ENV['SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true' saml_options[:attribute_statements] = {} saml_options[:attribute_statements][:uid] = [ENV['SAML_ATTRIBUTES_STATEMENTS_UID']] if ENV['SAML_ATTRIBUTES_STATEMENTS_UID'] saml_options[:attribute_statements][:email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_EMAIL'] saml_options[:attribute_statements][:full_name] = [ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_FULL_NAME'] + saml_options[:attribute_statements][:verified] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED'] + saml_options[:attribute_statements][:verified_email] = [ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL']] if ENV['SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL'] saml_options[:uid_attribute] = ENV['SAML_UID_ATTRIBUTE'] if ENV['SAML_UID_ATTRIBUTE'] config.omniauth :saml, saml_options end -- cgit From e668180044560e28bdc5eef94744c210013efcda Mon Sep 17 00:00:00 2001 From: Ghislain Loaec Date: Fri, 23 Feb 2018 01:16:17 +0100 Subject: New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) --- .env.production.sample | 4 ++++ app/controllers/auth/sessions_controller.rb | 9 +++++++++ app/models/concerns/omniauthable.rb | 3 ++- config/initializers/omniauth.rb | 8 +++++--- 4 files changed, 20 insertions(+), 4 deletions(-) (limited to 'config/initializers') diff --git a/.env.production.sample b/.env.production.sample index d74cdb8f8..21d44a416 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -153,6 +153,10 @@ STREAMING_CLUSTER_NUM=1 # Name of the pam service used for checking if an user can register (pam "account" section is evaluated) # PAM_CONTROLLED_SERVICE=rpam +# Global OAuth settings (optional) : +# If you have only one strategy, you may want to enable this +# OAUTH_REDIRECT_AT_SIGN_IN=true + # Optional CAS authentication (cf. omniauth-cas) : # CAS_ENABLED=true # CAS_URL=https://sso.myserver.com/ diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index 4fc41b378..42a3cb62c 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -10,6 +10,15 @@ class Auth::SessionsController < Devise::SessionsController prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create] before_action :set_instance_presenter, only: [:new] + def new + Devise.omniauth_configs.each do |provider, config| + if config.strategy.redirect_at_sign_in + return redirect_to(omniauth_authorize_path(resource_name, provider)) + end + end + super + end + def create super do |resource| remember_me(resource) diff --git a/app/models/concerns/omniauthable.rb b/app/models/concerns/omniauthable.rb index 7a396e301..87d93c1fd 100644 --- a/app/models/concerns/omniauthable.rb +++ b/app/models/concerns/omniauthable.rb @@ -53,7 +53,8 @@ module Omniauthable private def user_params_from_auth(auth) - assume_verified = Devise.omniauth_configs[:saml].strategy.security.assume_email_is_verified + strategy = Devise.omniauth_configs[auth.provider.to_sym].strategy + assume_verified = strategy.try(:security).try(:assume_email_is_verified) email_is_verified = auth.info.verified || auth.info.verified_email || assume_verified email = auth.info.verified_email || auth.info.email email = email_is_verified && !User.exists?(email: auth.info.email) && email diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 1b650ad09..92a73d82a 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -4,10 +4,12 @@ end Devise.setup do |config| # Devise omniauth strategies + options = {} + options[:redirect_at_sign_in] = ENV['OAUTH_REDIRECT_AT_SIGN_IN'] == 'true' # CAS strategy if ENV['CAS_ENABLED'] == 'true' - cas_options = {} + cas_options = options cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL'] cas_options[:host] = ENV['CAS_HOST'] if ENV['CAS_HOST'] cas_options[:port] = ENV['CAS_PORT'] if ENV['CAS_PORT'] @@ -18,7 +20,7 @@ Devise.setup do |config| cas_options[:login_url] = ENV['CAS_LOGIN_URL'] if ENV['CAS_LOGIN_URL'] cas_options[:uid_field] = ENV['CAS_UID_FIELD'] || 'user' if ENV['CAS_UID_FIELD'] cas_options[:ca_path] = ENV['CAS_CA_PATH'] if ENV['CAS_CA_PATH'] - cas_options[:disable_ssl_verification] = ENV['CAS_DISABLE_SSL_VERIFICATION'] == 'true' if ENV['CAS_DISABLE_SSL_VERIFICATION'] + cas_options[:disable_ssl_verification] = ENV['CAS_DISABLE_SSL_VERIFICATION'] == 'true' cas_options[:uid_key] = ENV['CAS_UID_KEY'] || 'user' cas_options[:name_key] = ENV['CAS_NAME_KEY'] || 'name' cas_options[:email_key] = ENV['CAS_EMAIL_KEY'] || 'email' @@ -33,7 +35,7 @@ Devise.setup do |config| # SAML strategy if ENV['SAML_ENABLED'] == 'true' - saml_options = {} + saml_options = options saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL'] saml_options[:issuer] = ENV['SAML_ISSUER'] if ENV['SAML_ISSUER'] saml_options[:idp_sso_target_url] = ENV['SAML_IDP_SSO_TARGET_URL'] if ENV['SAML_IDP_SSO_TARGET_URL'] -- cgit