bitzesty · phil-l-brockwell · Oct 30, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/Gemfile b/Gemfile
@@ -64,6 +64,8 @@ gem "devise-authy", ">= 1.10.0"
 gem "pundit", "~> 0.3"
 gem "devise_zxcvbn", ">= 4.4.1"
 gem "devise-security", "~> 0.18.0"
+gem "omniauth-rails_csrf_protection"
+gem "omniauth-oauth2"
 
 # GOV.UK Notify support (for mailers)
 gem "mail-notify", "~> 2.0"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -352,6 +352,8 @@ GEM
     money (6.16.0)
       i18n (>= 0.6.4, <= 2)
     multi_json (1.15.0)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
     multipart-post (2.3.0)
     mustermann (3.0.0)
       ruby2_keywords (~> 0.0.1)
@@ -379,6 +381,21 @@ GEM
       racc (~> 1.4)
     notifications-ruby-client (6.0.0)
       jwt (>= 1.5, < 3)
+    oauth2 (1.4.11)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+    omniauth (1.9.2)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-oauth2 (1.3.1)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     orm_adapter (0.5.0)
     pagy (7.0.11)
     paper_trail (12.2.0)
@@ -775,6 +792,8 @@ DEPENDENCIES
   matrix
   nilify_blanks
   nokogiri
+  omniauth-oauth2
+  omniauth-rails_csrf_protection
   paper_trail (~> 12.2.0)
   paper_trail-association_tracking
   pdf-inspector

diff --git a/app/controllers/admin/admins_controller.rb b/app/controllers/admin/admins_controller.rb
@@ -1,54 +1,14 @@
-class Admin::AdminsController < Admin::UsersController
-  before_action :find_resource, except: [:index, :new, :create, :login_as_assessor, :login_as_user]
+class Admin::AdminsController < Admin::BaseController
+  before_action :find_resource, except: [:index, :login_as_assessor, :login_as_user]
+
   def index
     params[:search] ||= AdminSearch::DEFAULT_SEARCH
     params[:search].permit!
     authorize Admin, :index?
     @search = AdminSearch.new(Admin.all)
                          .search(params[:search])
     @resources = @search.results.page(params[:page])
-  end
-
-  def new
-    @resource = Admin.new
-    authorize @resource, :create?
-  end
-
-  def create
-    @resource = Admin.new(resource_params)
-    @resource.skip_password_validation = true
-    authorize @resource, :create?
-
-    @resource.save
-
-    render_flash_message_for(@resource, message: @resource.errors.none? ? nil : @resource.errors.messages.values.flatten.uniq.join("<br />"))
-
-    location = @resource.persisted? ? admin_admins_path : nil
-    respond_with :admin, @resource, location: location
-  end
-
-  def update
-    authorize @resource, :update?
-
-    if resource_params[:password].present?
-      @resource.update(resource_params)
-    else
-      @resource.skip_password_validation = true
-      @resource.update_without_password(resource_params)
-    end
-
-    render_flash_message_for(@resource, message: @resource.errors.none? ? nil : @resource.errors.messages.values.flatten.uniq.join("<br />"))
-
-    respond_with :admin, @resource, location: admin_admins_path
-  end
-
-  def destroy
-    authorize @resource, :destroy?
-    @resource.soft_delete!
-
-    render_flash_message_for(@resource, message: @resource.errors.none? ? nil : @resource.errors.messages.values.flatten.uniq.join("<br />"))
-
-    respond_with :admin, @resource, location: admin_admins_path
+    render template: "admin/users/index"
   end
 
   # NOTE: debug abilities for Admin - BEGIN
@@ -74,13 +34,4 @@ def login_as_user
   def find_resource
     @resource = Admin.find(params[:id])
   end
-
-  def resource_params
-    params.require(:admin)
-      .permit(:email,
-        :password,
-        :password_confirmation,
-        :first_name,
-        :last_name)
-  end
 end
diff --git a/app/controllers/admins/confirmations_controller.rb b/app/controllers/admins/confirmations_controller.rb
@@ -1,9 +1,2 @@
 class Admins::ConfirmationsController < Devise::ConfirmationsController
-  include PasswordSettable
-
-  private
-
-  def password_reset_path(token)
-    edit_admin_password_path(reset_password_token: token, locals: { password_not_set: true })
-  end
 end
diff --git a/app/controllers/admins/omniauth_callbacks_controller.rb b/app/controllers/admins/omniauth_callbacks_controller.rb
@@ -0,0 +1,33 @@
+class Admins::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  skip_before_action :verify_authenticity_token, only: :developer
@@ -1,3 +1,2 @@
 class Admins::OmniauthCallbacksController < Devise::OmniauthCallbacksController
-  skip_before_action :verify_authenticity_token, only: :developer
@@ -1,3 +1,2 @@
 class Admins::OmniauthCallbacksController < Devise::OmniauthCallbacksController
-  skip_before_action :verify_authenticity_token, only: :developer

+
+  def dbt_staff_sso
+    FindAndUpdateWithAuth.new(auth: request.env["omniauth.auth"], model: Admin).run.tap do |result|
+      if result.success
+        sign_in_and_redirect result.user, event: :authentication
+        set_flash_message(:notice, :success, kind: "DBT Staff SSO")
+      else
+        set_flash_message(:notice, :error, kind: result.errors)
+        redirect_to new_admin_session_url
+      end
+    end
+  end
+
+  def developer
+    raise "developer strategy should only be used in development!" unless Rails.env.development?
+
+    FindAndUpdateWithAuth.new(auth: request.env["omniauth.auth"], model: Admin).run.tap do |result|
+      if result.success
+        sign_in_and_redirect result.user, event: :authentication
+        set_flash_message(:notice, :success, kind: "Developer SSO")
+      else
+        set_flash_message(:notice, :error, kind: result.errors)
+        redirect_to new_admin_session_url
+      end
+    end
+  end
+
+  def failure
+    redirect_to admin_root_path
+  end
+end
diff --git a/app/controllers/admins/sessions_controller.rb b/app/controllers/admins/sessions_controller.rb
@@ -0,0 +1,2 @@
+class Admins::SessionsController < Devise::SessionsController
+end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -31,6 +31,14 @@ def after_sign_in_path_for(resource)
     end
   end
 
+  def after_sign_out_path_for(scope)
+    if scope == :admin
+      new_admin_session_path
+    else
+      super
+    end
+  end
+
   def admin_in_read_only_mode?
     @admin_in_read_only_mode ||= (admin_signed_in? || assessor_signed_in?) &&
       session["warden.user.user.key"] &&

diff --git a/app/interactors/find_and_update_with_auth.rb b/app/interactors/find_and_update_with_auth.rb
@@ -0,0 +1,52 @@
+class FindAndUpdateWithAuth
+  attr_reader :success, :errors, :user
+
+  def initialize(auth:, model:)
+    @model = model
+    @sso_uid = auth.uid
+    @sso_info = auth.info
+    @sso_provider = auth.provider
+  end
+
+  def run
+    @user = find_or_create_user
+    @success = @user.persisted?
+    @errors = @user.errors unless @success
+    self
+  end
+
+  private
+
+  # 1 - check if they have already set up sso; when they have update them to ensure we capture the current email/first_name/last_name
+  # 2 - check if the user already existed prior to sso; when they do update them with the auth details
+  # 3 - finally if they dont exist; create them from the auth details
+  def find_or_create_user
+    find_and_update_with_auth(sso_provider: @sso_provider, sso_uid: @sso_uid) || find_and_update_with_auth(email: @sso_info.email) || create_from_auth
+  end
+
+  def find_and_update_with_auth(conditions)
+    raise "conditions should not be nil: #{conditions}" if conditions.compact.empty?
+
+    existing = @model.find_by(**conditions)
+    return unless existing
+
+    @model.update(
+      existing.id,
+      sso_provider: @sso_provider,
+      sso_uid: @sso_uid,
+      email: @sso_info.email,
+      first_name: @sso_info.first_name,
+      last_name: @sso_info.last_name,
+    )
+  end
+
+  def create_from_auth
+    @model.create(
+      email: @sso_info.email,
+      first_name: @sso_info.first_name,
+      last_name: @sso_info.last_name,
+      sso_uid: @sso_uid,
+      sso_provider: @sso_provider,
+    )
+  end
+end
diff --git a/app/models/admin.rb b/app/models/admin.rb
@@ -2,15 +2,11 @@ class Admin < ApplicationRecord
   include PgSearch::Model
   include AutosaveTokenGeneration
 
-  # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
-
-  devise :authy_authenticatable, :database_authenticatable,
-    :recoverable, :trackable, :validatable, :confirmable,
-    :zxcvbnable, :lockable, :timeoutable, :session_limitable
-  include PasswordValidator
+  devise :trackable, :timeoutable, :session_limitable
+  devise :omniauthable, omniauth_providers: %i[dbt_staff_sso developer]
 
   validates :first_name, :last_name, presence: true
+  validates :email, format: { with: Devise.email_regexp }
 
   has_many :form_answer_attachments, as: :attachable
 

diff --git a/app/views/admin/admins/_list.html.slim b/app/views/admin/admins/_list.html.slim
@@ -10,7 +10,7 @@
           th.sortable
             = sort_link f, 'Signed in on', @search, :last_sign_in_at
           th.sortable
-            = sort_link f, "Confirmed on", @search, :confirmed_at
+            = sort_link f, 'Single sign on ID', @search, :sso_uid
       tbody
         - if AdminDecorator.decorate_collection(resources).none?
           tr
@@ -30,10 +30,4 @@
                     = admin.formatted_last_sign_in_at_long
                   span.hidden-lg
                     = admin.formatted_last_sign_in_at_short
-              td
-                - if admin.confirmed_at.present?
-                  small.text-muted
-                    = l admin.confirmed_at, format: :date_at_time
-                - else
-                  small.text-danger
-                    ' Not confirmed
+              td = admin.sso_uid
diff --git a/app/views/admin/users/index.html.slim b/app/views/admin/users/index.html.slim
@@ -25,8 +25,9 @@
             = link_to "Edit assessors’ access to the system", suspension_status_admin_assessors_path, class: "btn btn-default btn-md"
             ' &nbsp;
 
-          = link_to public_send("new_admin_#{controller_name.singularize}_path"), class: 'new-user btn btn-secondary btn-md' do
-            = "+ Add #{controller_name == "users" ? "applicant" : controller_name.singularize}"
+          - unless controller_name == "admins"
+            = link_to public_send("new_admin_#{controller_name.singularize}_path"), class: 'new-user btn btn-secondary btn-md' do
+              = "+ Add #{controller_name == "users" ? "applicant" : controller_name.singularize}"
     .clear
 
     - if @search.query?

diff --git a/app/views/admins/sessions/new.html.slim b/app/views/admins/sessions/new.html.slim
@@ -9,16 +9,15 @@
         = resource.model_name
         '  - Sign in
 
-    = simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f|
+      - unless devise_mapping.omniauthable?
+        = simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f|
+          .govuk-form-group
+            = f.input :email, required: false, autofocus: true, label: "Email", input_html: {class: "govuk-input--width-20"}
 
-      .govuk-form-group
-        = f.input :email, required: false, autofocus: true, label: "Email", input_html: {class: "govuk-input--width-20"}
+          .govuk-form-group
+            = f.input :password, required: false, label: "Password", input_html: {class: "govuk-input--width-10"}
 
-      .govuk-form-group
-        = f.input :password, required: false, label: "Password", input_html: {class: "govuk-input--width-10"}
-
-      = f.input :remember_me, as: :boolean if devise_mapping.rememberable?
-
-      = f.button :submit, "Sign in", class: "button large"
+          = f.input :remember_me, as: :boolean if devise_mapping.rememberable?
+          = f.button :submit, "Sign in", class: "button large"
 
     = render "admins/shared/links"
diff --git a/app/views/admins/shared/_links.html.slim b/app/views/admins/shared/_links.html.slim
@@ -15,6 +15,9 @@
     p
       = link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name), class: 'govuk-link'
   - if devise_mapping.omniauthable?
-    - resource_class.omniauth_providers.each do |provider|
-      p
-        = link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider), class: 'govuk-link'
+    - if Rails.env.development?
+      = link_to "Sign in with Developer", omniauth_authorize_path(resource_name, :developer), class: 'govuk-link', method: :post
+    - else
+      - resource_class.omniauth_providers.excluding(:developer).each do |provider|
+        p
+          = link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider), class: 'govuk-link', method: :post
diff --git a/app/views/layouts/application-admin.html.slim b/app/views/layouts/application-admin.html.slim
@@ -91,10 +91,6 @@ html.no-js
                             strong = current_subject.decorate.full_name
                             br
                             small = current_subject.email
-                        li.divider
-                        - unless current_admin.authy_enabled
-                          li
-                            = link_to "Enable 2FA", admin_enable_authy_path
                         li
                           = button_to "Sign out",
                               destroy_admin_session_path,
@@ -110,10 +106,6 @@ html.no-js
                           strong = current_subject.decorate.full_name
                           br
                           small = current_subject.email
-                      li.divider
-                      - unless current_admin.authy_enabled
-                        li
-                          = link_to "Enable 2FA", admin_enable_authy_path
                       li
                         = link_to "Sign out",
                                   destroy_admin_session_path,

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -206,6 +206,13 @@
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
+  config.omniauth :dbt_staff_sso,
+    ENV.fetch("DBT_STAFF_SSO_APP_ID", nil), # remove the nils once we have these set in ci etc
+    ENV.fetch("DBT_STAFF_SSO_APP_SECRET", nil),
+    info_fields: OmniAuth::Strategies::DbtStaffSso::INFO_FIELD_NAMES
+
+  config.omniauth :developer, fields: [:first_name, :last_name, :email] if Rails.env.development?
+
   config.warden do |manager|
     manager.failure_app = QaeFailureApp
   end

diff --git a/config/routes.rb b/config/routes.rb
@@ -15,14 +15,12 @@
     unlocks: "users/unlocks",
   }
 
-  devise_for :admins, controllers: {
-    confirmations: "admins/confirmations",
-    devise_authy: "admin/devise_authy",
-  }, path_names: {
-    verify_authy: "/verify-token",
-    enable_authy: "/enable-two-factor",
-    verify_authy_installation: "/verify-installation",
-  }
+  devise_for :admins, controllers: { omniauth_callbacks: "admins/omniauth_callbacks" }
+
+  devise_scope :admin do
+    get "admins/sign_in", to: "devise/sessions#new", as: :new_admin_session
+    delete "admins/sign_out", to: "devise/sessions#destroy", as: :destroy_admin_session
+  end
 
   authenticate :admin do
     mount Sidekiq::Web => "/sidekiq"

diff --git a/db/migrate/20241028142655_add_omniauth_to_admins.rb b/db/migrate/20241028142655_add_omniauth_to_admins.rb
@@ -0,0 +1,6 @@
+class AddOmniauthToAdmins < ActiveRecord::Migration[7.0]
+  def change
+    add_column :admins, :sso_provider, :string
+    add_column :admins, :sso_uid, :string
+  end
+end
diff --git a/db/seeds.rb b/db/seeds.rb
@@ -1,7 +1,6 @@
 unless Admin.exists?
   admin_args = {
     email: "[email protected]",
-    password: "^#ur9EkLm@1W+OaDvg",
     first_name: "First name",
     last_name: "Last name",
     confirmed_at: DateTime.now
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		class Admins::SessionsController < Devise::SessionsController
		end