From a6ed6845c9cab3b314ce6434b851cc507a71ee62 Mon Sep 17 00:00:00 2001 From: chandrn7 Date: Wed, 9 Mar 2022 06:07:35 -0500 Subject: Allow login through OpenID Connect (#16221) * added OpenID Connect as an SSO option * minor fixes * added comments, removed an option that shouldn't be set * fixed Gemfile.lock * added newline to end of Gemfile.lock * removed tab from Gemfile.lock * remove chomp * codeclimate changes and small name change to make function's purpose clearer * codeclimate fix * added SSO buttons to /about page * minor refactor * minor style change * removed spurious change * removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth * minor changes --- config/initializers/omniauth.rb | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'config/initializers') diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 1a041ad48..51241e546 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -8,7 +8,8 @@ Devise.setup do |config| # CAS strategy if ENV['CAS_ENABLED'] == 'true' - cas_options = options + cas_options = {} + cas_options[:display_name] = ENV['CAS_DISPLAY_NAME'] || 'cas' cas_options[:url] = ENV['CAS_URL'] if ENV['CAS_URL'] cas_options[:host] = ENV['CAS_HOST'] if ENV['CAS_HOST'] cas_options[:port] = ENV['CAS_PORT'] if ENV['CAS_PORT'] @@ -36,7 +37,8 @@ Devise.setup do |config| # SAML strategy if ENV['SAML_ENABLED'] == 'true' - saml_options = options + saml_options = {} + saml_options[:display_name] = ENV['SAML_DISPLAY_NAME'] || 'saml' saml_options[:assertion_consumer_service_url] = ENV['SAML_ACS_URL'] if ENV['SAML_ACS_URL'] saml_options[:issuer] = ENV['SAML_ISSUER'] if ENV['SAML_ISSUER'] saml_options[:idp_sso_target_url] = ENV['SAML_IDP_SSO_TARGET_URL'] if ENV['SAML_IDP_SSO_TARGET_URL'] @@ -64,4 +66,39 @@ Devise.setup do |config| saml_options[:allowed_clock_drift] = ENV['SAML_ALLOWED_CLOCK_DRIFT'] if ENV['SAML_ALLOWED_CLOCK_DRIFT'] config.omniauth :saml, saml_options end + + # OpenID Connect Strategy + if ENV['OIDC_ENABLED'] == 'true' + oidc_options = {} + oidc_options[:display_name] = ENV['OIDC_DISPLAY_NAME'] || 'openid_connect' #OPTIONAL + oidc_options[:issuer] = ENV['OIDC_ISSUER'] if ENV['OIDC_ISSUER'] #NEED + oidc_options[:discovery] = ENV['OIDC_DISCOVERY'] == 'true' if ENV['OIDC_DISCOVERY'] #OPTIONAL (default: false) + oidc_options[:client_auth_method] = ENV['OIDC_CLIENT_AUTH_METHOD'] if ENV['OIDC_CLIENT_AUTH_METHOD'] #OPTIONAL (default: basic) + scope_string = ENV['OIDC_SCOPE'] if ENV['OIDC_SCOPE'] #NEED + scopes = scope_string.split(',') + oidc_options[:scope] = scopes.map { |x| x.to_sym } + oidc_options[:response_type] = ENV['OIDC_RESPONSE_TYPE'] if ENV['OIDC_RESPONSE_TYPE'] #OPTIONAL (default: code) + oidc_options[:response_mode] = ENV['OIDC_RESPONSE_MODE'] if ENV['OIDC_RESPONSE_MODE'] #OPTIONAL (default: query) + oidc_options[:display] = ENV['OIDC_DISPLAY'] if ENV['OIDC_DISPLAY'] #OPTIONAL (default: page) + oidc_options[:prompt] = ENV['OIDC_PROMPT'] if ENV['OIDC_PROMPT'] #OPTIONAL + oidc_options[:send_nonce] = ENV['OIDC_SEND_NONCE'] == 'true' if ENV['OIDC_SEND_NONCE'] #OPTIONAL (default: true) + oidc_options[:send_scope_to_token_endpoint] = ENV['OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT'] == 'true' if ENV['OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT'] #OPTIONAL (default: true) + oidc_options[:post_logout_redirect_uri] = ENV['OIDC_IDP_LOGOUT_REDIRECT_URI'] if ENV['OIDC_IDP_LOGOUT_REDIRECT_URI'] #OPTIONAL + oidc_options[:uid_field] = ENV['OIDC_UID_FIELD'] if ENV['OIDC_UID_FIELD'] #NEED + oidc_options[:client_options] = {} + oidc_options[:client_options][:identifier] = ENV['OIDC_CLIENT_ID'] if ENV['OIDC_CLIENT_ID'] #NEED + oidc_options[:client_options][:secret] = ENV['OIDC_CLIENT_SECRET'] if ENV['OIDC_CLIENT_SECRET'] #NEED + oidc_options[:client_options][:redirect_uri] = ENV['OIDC_REDIRECT_URI'] if ENV['OIDC_REDIRECT_URI'] #NEED + oidc_options[:client_options][:scheme] = ENV['OIDC_HTTP_SCHEME'] if ENV['OIDC_HTTP_SCHEME'] #OPTIONAL (default: https) + oidc_options[:client_options][:host] = ENV['OIDC_HOST'] if ENV['OIDC_HOST'] #OPTIONAL + oidc_options[:client_options][:port] = ENV['OIDC_PORT'] if ENV['OIDC_PORT'] #OPTIONAL + oidc_options[:client_options][:authorization_endpoint] = ENV['OIDC_AUTH_ENDPOINT'] if ENV['OIDC_AUTH_ENDPOINT'] #NEED when discovery != true + oidc_options[:client_options][:token_endpoint] = ENV['OIDC_TOKEN_ENDPOINT'] if ENV['OIDC_TOKEN_ENDPOINT'] #NEED when discovery != true + oidc_options[:client_options][:userinfo_endpoint] = ENV['OIDC_USER_INFO_ENDPOINT'] if ENV['OIDC_USER_INFO_ENDPOINT'] #NEED when discovery != true + oidc_options[:client_options][:jwks_uri] = ENV['OIDC_JWKS_URI'] if ENV['OIDC_JWKS_URI'] #NEED when discovery != true + oidc_options[:client_options][:end_session_endpoint] = ENV['OIDC_END_SESSION_ENDPOINT'] if ENV['OIDC_END_SESSION_ENDPOINT'] #OPTIONAL + oidc_options[:security] = {} + oidc_options[:security][:assume_email_is_verified] = ENV['OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true' #OPTIONAL + config.omniauth :openid_connect, oidc_options + end end -- cgit From 46ad7fea9d67631f54dd1ef45114a08cd2c5db73 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 12 Mar 2022 09:23:53 +0100 Subject: Bump rack-attack from 6.5.0 to 6.6.0 (#17405) * Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko --- Gemfile | 2 +- Gemfile.lock | 4 ++-- config/initializers/rack_attack.rb | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'config/initializers') diff --git a/Gemfile b/Gemfile index 5f5f21ecc..39515507f 100644 --- a/Gemfile +++ b/Gemfile @@ -68,7 +68,7 @@ gem 'parslet' gem 'posix-spawn' gem 'pundit', '~> 2.2' gem 'premailer-rails' -gem 'rack-attack', '~> 6.5' +gem 'rack-attack', '~> 6.6' gem 'rack-cors', '~> 1.1', require: 'rack/cors' gem 'rails-i18n', '~> 6.0' gem 'rails-settings-cached', '~> 0.6' diff --git a/Gemfile.lock b/Gemfile.lock index 075a4e9cb..89187d1b0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -466,7 +466,7 @@ GEM raabro (1.4.0) racc (1.6.0) rack (2.2.3) - rack-attack (6.5.0) + rack-attack (6.6.0) rack (>= 1.0, < 3) rack-cors (1.1.1) rack (>= 2.0.0) @@ -800,7 +800,7 @@ DEPENDENCIES puma (~> 5.6) pundit (~> 2.2) rack (~> 2.2.3) - rack-attack (~> 6.5) + rack-attack (~> 6.6) rack-cors (~> 1.1) rails (~> 6.1.4) rails-controller-testing (~> 1.0) diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index c3733e377..745eb5d3b 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -118,9 +118,9 @@ class Rack::Attack req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/sign_in' end - self.throttled_response = lambda do |env| + self.throttled_responder = lambda do |request| now = Time.now.utc - match_data = env['rack.attack.match_data'] + match_data = request.env['rack.attack.match_data'] headers = { 'Content-Type' => 'application/json', -- cgit From eb9a7e36260c99aec980d097ee819c17ebb93631 Mon Sep 17 00:00:00 2001 From: Yamagishi Kazutoshi Date: Tue, 15 Mar 2022 03:20:40 +0900 Subject: Fix LetterOpennerWeb CSP (#17770) --- config/initializers/content_security_policy.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'config/initializers') diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index b377b7b4d..c113b0f8b 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -60,4 +60,20 @@ Rails.application.reloader.to_prepare do PgHero::HomeController.after_action do request.content_security_policy_nonce_generator = nil end + + if Rails.env.development? + LetterOpenerWeb::LettersController.content_security_policy do |p| + p.child_src :self + p.connect_src :none + p.frame_ancestors :self + p.frame_src :self + p.script_src :unsafe_inline + p.style_src :unsafe_inline + p.worker_src :none + end + + LetterOpenerWeb::LettersController.after_action do |p| + request.content_security_policy_nonce_directives = %w(script-src) + end + end end -- cgit From 895212bb2f05762453ab14c9424e80bae169b75d Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 15 Mar 2022 20:27:49 +0100 Subject: Fix PgHero suggesting migrations (#17807) * Fix PgHero suggesting migrations Fixes #17768 * Keep migration suggestions in development env --- config/initializers/pghero.rb | 1 + 1 file changed, 1 insertion(+) create mode 100644 config/initializers/pghero.rb (limited to 'config/initializers') diff --git a/config/initializers/pghero.rb b/config/initializers/pghero.rb new file mode 100644 index 000000000..0c77d6d0f --- /dev/null +++ b/config/initializers/pghero.rb @@ -0,0 +1 @@ +PgHero.show_migrations = Rails.env.development? -- cgit