diff --git a/.rubocop.yml b/.rubocop.yml index 821c3902e520..d45f3c613d7b 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -248,6 +248,7 @@ RSpec/DescribeMethod: # to match the exact file name RSpec/SpecFilePathFormat: CustomTransform: + OpenIDConnect: openid_connect OAuthClients: oauth_clients IgnoreMethods: true diff --git a/app/components/op_primer/border_box_table_component.html.erb b/app/components/op_primer/border_box_table_component.html.erb index 293aa2d79ed5..01cbc672c596 100644 --- a/app/components/op_primer/border_box_table_component.html.erb +++ b/app/components/op_primer/border_box_table_component.html.erb @@ -46,11 +46,11 @@ See COPYRIGHT and LICENSE files for more details. if rows.empty? component.with_row(scheme: :default) { render_blank_slate } - end - - rows.each do |row| - component.with_row(scheme: :default) do - render(row_class.new(row:, table: self)) + else + rows.each do |row| + component.with_row(scheme: :default) do + render(row_class.new(row:, table: self)) + end end end end diff --git a/app/mailers/user_mailer.rb b/app/mailers/user_mailer.rb index ea6bcf6d4b10..4947c77dd9c4 100644 --- a/app/mailers/user_mailer.rb +++ b/app/mailers/user_mailer.rb @@ -72,7 +72,7 @@ def password_change_not_possible(user) if user.ldap_auth_source user.ldap_auth_source.name else - user.authentication_provider + user.human_authentication_provider end open_project_headers "Type" => "Account" diff --git a/app/models/auth_provider.rb b/app/models/auth_provider.rb index 69d724c0faed..8a38a4894b02 100644 --- a/app/models/auth_provider.rb +++ b/app/models/auth_provider.rb @@ -32,10 +32,20 @@ class AuthProvider < ApplicationRecord validates :display_name, presence: true validates :display_name, uniqueness: true + after_destroy :unset_direct_provider + def self.slug_fragment raise NotImplementedError end + def user_count + @user_count ||= User.where("identity_url LIKE ?", "#{slug}%").count + end + + def human_type + raise NotImplementedError + end + def auth_url root_url = OpenProject::StaticRouting::StaticUrlHelpers.new.root_url URI.join(root_url, "auth/#{slug}/").to_s @@ -44,4 +54,12 @@ def auth_url def callback_url URI.join(auth_url, "callback").to_s end + + protected + + def unset_direct_provider + if Setting.omniauth_direct_login_provider == slug + Setting.omniauth_direct_login_provider = "" + end + end end diff --git a/app/models/user.rb b/app/models/user.rb index 11749506f856..4b3d33175723 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -308,7 +308,12 @@ def name(formatter = nil) def authentication_provider return if identity_url.blank? - identity_url.split(":", 2).first.titleize + identity_url.split(":", 2).first + end + + # Return user's authentication provider for display + def human_authentication_provider + authentication_provider&.titleize end ## diff --git a/app/views/admin/settings/authentication_settings/show.html.erb b/app/views/admin/settings/authentication_settings/show.html.erb index 8943b42aee49..cca0e8c6d325 100644 --- a/app/views/admin/settings/authentication_settings/show.html.erb +++ b/app/views/admin/settings/authentication_settings/show.html.erb @@ -57,6 +57,27 @@ See COPYRIGHT and LICENSE files for more details. <%= render Settings::NumericSettingComponent.new("invitation_expiration_days", unit: "days") %> +
+ <%= I18n.t(:'settings.authentication.single_sign_on') %> +
+ <% providers = AuthProvider + .where(available: true) + .order("lower(display_name) ASC") + .select(:type, :display_name, :slug) + .to_a + .map { |p| ["#{p.display_name} (#{p.human_type})", p.slug] } + %> + <%= setting_select :omniauth_direct_login_provider, + [[t(:label_disabled), ""]] + providers, + container_class: '-middle' %> + + <%= t("settings.authentication.omniauth_direct_login_hint_html", + internal_path: internal_signin_url) %> + +
+
+ +
<%= I18n.t(:setting_registration_footer) %> diff --git a/app/views/users/form/authentication/_external.html.erb b/app/views/users/form/authentication/_external.html.erb index 423cbaa5a55d..0a4c50875018 100644 --- a/app/views/users/form/authentication/_external.html.erb +++ b/app/views/users/form/authentication/_external.html.erb @@ -1,7 +1,7 @@
<%= styled_label_tag nil, I18n.t('user.authentication_provider') %>
- <%= @user.authentication_provider %> + <%= @user.human_authentication_provider %>
diff --git a/config/initializers/zeitwerk.rb b/config/initializers/zeitwerk.rb index f346f581530a..5681349c4f81 100644 --- a/config/initializers/zeitwerk.rb +++ b/config/initializers/zeitwerk.rb @@ -34,6 +34,8 @@ "OAuth#{default_inflect($1, abspath)}" when /\A(.*)_oauth\z/ "#{default_inflect($1, abspath)}OAuth" + when "openid_connect" + "OpenIDConnect" when "oauth" "OAuth" when /\Aclamav_(.*)\z/ diff --git a/config/locales/en.yml b/config/locales/en.yml index 9ac82e45a972..efff8183f180 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -962,6 +962,7 @@ en: not_a_datetime: "is not a valid date time." not_a_number: "is not a number." not_allowed: "is invalid because of missing permissions." + not_json: "is not a valid JSON object." not_an_integer: "is not an integer." not_an_iso_date: "is not a valid date. Required format: YYYY-MM-DD." not_same_project: "doesn't belong to the same project." @@ -2141,6 +2142,7 @@ en: label_api_doc: "API documentation" label_backup: "Backup" label_backup_code: "Backup code" + label_basic_details: "Basic details" label_between: "between" label_blocked_by: "blocked by" label_blocks: "blocks" @@ -2374,6 +2376,7 @@ en: label_custom_favicon: "Custom favicon" label_custom_touch_icon: "Custom touch icon" label_logout: "Sign out" + label_mapping_for: "Mapping for: %{attribute}" label_main_menu: "Side Menu" label_manage: "Manage" label_manage_groups: "Manage groups" @@ -3340,7 +3343,9 @@ en: setting_default_language: "Default language" setting_default_projects_modules: "Default enabled modules for new projects" setting_default_projects_public: "New projects are public by default" + setting_disable_password_login: "Disable password authentication" setting_diff_max_lines_displayed: "Max number of diff lines displayed" + setting_omniauth_direct_login_provider: "Direct login SSO provider" setting_display_subprojects_work_packages: "Display subprojects work packages on main projects by default" setting_duration_format: "Duration format" setting_duration_format_hours_only: "Hours only" @@ -3444,6 +3449,14 @@ en: setting_working_days: "Working days" settings: + authentication: + single_sign_on: "Single Sign-On" + omniauth_direct_login_hint_html: > + If this option is active, login requests will redirect to the configured omniauth provider. + The login dropdown and sign-in page will be disabled. +
+ Note: Unless you also disable password logins, with this option enabled, + users can still log in internally by visiting the %{internal_path} login page. attachments: whitelist_text_html: > Define a list of valid file extensions and/or mime types for uploaded files. diff --git a/lib/open_project/static/links.rb b/lib/open_project/static/links.rb index ea9d734b5d87..3cf20939e294 100644 --- a/lib/open_project/static/links.rb +++ b/lib/open_project/static/links.rb @@ -273,6 +273,15 @@ def static_links sysadmin_docs: { saml: { href: "https://www.openproject.org/docs/system-admin-guide/authentication/saml/" + }, + oidc: { + href: "https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/" + }, + oidc_claims: { + href: "https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/#claims" + }, + oidc_acr_values: { + href: "https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/#non-essential-claims" } }, storage_docs: { diff --git a/modules/auth_plugins/app/views/hooks/login/_providers.html.erb b/modules/auth_plugins/app/views/hooks/login/_providers.html.erb index c3e34bf4f857..0b27df729c52 100644 --- a/modules/auth_plugins/app/views/hooks/login/_providers.html.erb +++ b/modules/auth_plugins/app/views/hooks/login/_providers.html.erb @@ -27,7 +27,7 @@ See COPYRIGHT and LICENSE files for more details. ++#%> -<% OpenProject::Plugins::AuthPlugin.providers.each do |pro| %> +<% OpenProject::Plugins::AuthPlugin.providers.each do |provider| %> <% opts = { script_name: OpenProject::Configuration.rails_relative_url_root } @@ -36,8 +36,8 @@ See COPYRIGHT and LICENSE files for more details. end %> - <%= pro[:display_name] || pro[:name] %> + href="<%= omni_auth_start_path(provider[:name], opts) %>" + class="auth-provider auth-provider-<%= provider[:name] %> <%= provider[:icon] ? 'auth-provider--imaged' : '' %> button"> + <%= provider[:display_name] || provider[:name] %> <% end %> diff --git a/modules/auth_plugins/app/views/hooks/login/_providers_css.html.erb b/modules/auth_plugins/app/views/hooks/login/_providers_css.html.erb index 88178a25f6ff..519c8199237a 100644 --- a/modules/auth_plugins/app/views/hooks/login/_providers_css.html.erb +++ b/modules/auth_plugins/app/views/hooks/login/_providers_css.html.erb @@ -27,17 +27,17 @@ See COPYRIGHT and LICENSE files for more details. ++#%> -<% OpenProject::Plugins::AuthPlugin.providers.each do |pro| %> - <% if pro[:icon] %> +<% OpenProject::Plugins::AuthPlugin.providers.each do |provider| %> + <% if provider[:icon] %> <% end -%> diff --git a/modules/auth_saml/app/components/saml/providers/row_component.rb b/modules/auth_saml/app/components/saml/providers/row_component.rb index 30f6a3de52f0..96c140e7d581 100644 --- a/modules/auth_saml/app/components/saml/providers/row_component.rb +++ b/modules/auth_saml/app/components/saml/providers/row_component.rb @@ -53,7 +53,7 @@ def edit_link end def users - User.where("identity_url LIKE ?", "#{provider.slug}%").count.to_s + provider.user_count.to_s end def creator diff --git a/modules/auth_saml/app/controllers/saml/providers_controller.rb b/modules/auth_saml/app/controllers/saml/providers_controller.rb index ab8a43a11fe4..641206537bcf 100644 --- a/modules/auth_saml/app/controllers/saml/providers_controller.rb +++ b/modules/auth_saml/app/controllers/saml/providers_controller.rb @@ -7,7 +7,7 @@ class ProvidersController < ::ApplicationController before_action :require_admin before_action :check_ee - before_action :find_provider, only: %i[show edit import_metadata update destroy] + before_action :find_provider, only: %i[show edit import_metadata update confirm_destroy destroy] before_action :check_provider_writable, only: %i[update import_metadata] before_action :set_edit_state, only: %i[create edit update import_metadata] @@ -85,7 +85,7 @@ def create def update call = Saml::Providers::UpdateService .new(model: @provider, user: User.current) - .call(options: update_params) + .call(update_params) if call.success? flash[:notice] = I18n.t(:notice_successful_update) unless @edit_mode @@ -96,6 +96,8 @@ def update end end + def confirm_destroy; end + def destroy call = ::Saml::Providers::DeleteService .new(model: @provider, user: User.current) diff --git a/modules/auth_saml/app/forms/saml/providers/mapping_form.rb b/modules/auth_saml/app/forms/saml/providers/mapping_form.rb index fa1be96a4795..518a680a774e 100644 --- a/modules/auth_saml/app/forms/saml/providers/mapping_form.rb +++ b/modules/auth_saml/app/forms/saml/providers/mapping_form.rb @@ -32,7 +32,7 @@ class MappingForm < BaseForm form do |f| f.text_area( name: :mapping_login, - label: I18n.t("saml.providers.label_mapping_for", attribute: User.human_attribute_name(:login)), + label: I18n.t("label_mapping_for", attribute: User.human_attribute_name(:login)), caption: I18n.t("saml.instructions.mapping_login"), required: true, disabled: provider.seeded_from_env?, @@ -41,7 +41,7 @@ class MappingForm < BaseForm ) f.text_area( name: :mapping_mail, - label: I18n.t("saml.providers.label_mapping_for", attribute: User.human_attribute_name(:mail)), + label: I18n.t("label_mapping_for", attribute: User.human_attribute_name(:mail)), caption: I18n.t("saml.instructions.mapping_mail"), required: true, disabled: provider.seeded_from_env?, @@ -50,7 +50,7 @@ class MappingForm < BaseForm ) f.text_area( name: :mapping_firstname, - label: I18n.t("saml.providers.label_mapping_for", attribute: User.human_attribute_name(:first_name)), + label: I18n.t("label_mapping_for", attribute: User.human_attribute_name(:first_name)), caption: I18n.t("saml.instructions.mapping_firstname"), required: true, disabled: provider.seeded_from_env?, @@ -59,7 +59,7 @@ class MappingForm < BaseForm ) f.text_area( name: :mapping_lastname, - label: I18n.t("saml.providers.label_mapping_for", attribute: User.human_attribute_name(:last_name)), + label: I18n.t("label_mapping_for", attribute: User.human_attribute_name(:last_name)), caption: I18n.t("saml.instructions.mapping_lastname"), required: true, disabled: provider.seeded_from_env?, @@ -68,7 +68,7 @@ class MappingForm < BaseForm ) f.text_field( name: :mapping_uid, - label: I18n.t("saml.providers.label_mapping_for", attribute: I18n.t("saml.providers.label_uid")), + label: I18n.t("label_mapping_for", attribute: I18n.t("saml.providers.label_uid")), caption: I18n.t("saml.instructions.mapping_uid"), disabled: provider.seeded_from_env?, rows: 8, diff --git a/modules/auth_saml/app/models/saml/provider.rb b/modules/auth_saml/app/models/saml/provider.rb index 3ae89b0fb726..515c3a42d67c 100644 --- a/modules/auth_saml/app/models/saml/provider.rb +++ b/modules/auth_saml/app/models/saml/provider.rb @@ -45,6 +45,10 @@ class Provider < AuthProvider def self.slug_fragment = "saml" + def human_type + "SAML" + end + def seeded_from_env? (Setting.seed_saml_provider || {}).key?(slug) end diff --git a/modules/auth_saml/app/views/saml/providers/confirm_destroy.html.erb b/modules/auth_saml/app/views/saml/providers/confirm_destroy.html.erb new file mode 100644 index 000000000000..1eb1e53eb0ae --- /dev/null +++ b/modules/auth_saml/app/views/saml/providers/confirm_destroy.html.erb @@ -0,0 +1,66 @@ +<%#-- copyright +OpenProject is an open source project management software. +Copyright (C) the OpenProject GmbH + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License version 3. + +OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +Copyright (C) 2006-2013 Jean-Philippe Lang +Copyright (C) 2010-2013 the ChiliProject Team + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +See COPYRIGHT and LICENSE files for more details. + +++#%> +<%= styled_form_tag(saml_provider_path(@provider), + class: 'danger-zone', + method: :delete) do %> +
+

+ <%= t('saml.delete_title') %> +

+

+ <%= t('provider.delete_warning.provider', name: content_tag(:strong, @provider.display_name)).html_safe %> +

+
    +
  • <%= t('provider.delete_warning.delete_result_1') %> +
  • <%= t('provider.delete_warning.delete_result_user_count', count: @provider.user_count) %> + <% if Setting.omniauth_direct_login_provider == @provider.slug %> +
  • <%= t('provider.delete_warning.delete_result_direct') %> + <% end %> +
+

+ + <%= t('provider.delete_warning.irreversible_notice') %> +

+

+ <%= t('provider.delete_warning.input_delete_confirmation', name: "#{h(@provider.display_name)}").html_safe %> +

+
+ <%= text_field_tag :delete_confirmation %> + <%= styled_button_tag title: t(:button_delete), class: '-primary', disabled: true do + concat content_tag :i, '', class: 'button--icon icon-delete' + concat content_tag :span, t(:button_delete), class: 'button--text' + end %> + <%= link_to saml_providers_path, + title: t(:button_cancel), + class: 'button -with-icon icon-cancel' do %> + <%= t(:button_cancel) %> + <% end %> +
+
+<% end %> diff --git a/modules/auth_saml/app/views/saml/providers/show.html.erb b/modules/auth_saml/app/views/saml/providers/show.html.erb index 64d09eaad670..89c532a1a650 100644 --- a/modules/auth_saml/app/views/saml/providers/show.html.erb +++ b/modules/auth_saml/app/views/saml/providers/show.html.erb @@ -14,12 +14,8 @@ mobile_icon: :trash, mobile_label: t(:button_delete), size: :medium, - href: saml_provider_path(@provider), + href: confirm_destroy_saml_provider_path(@provider), aria: { label: I18n.t(:button_delete) }, - data: { - confirm: t(:text_are_you_sure), - method: :delete, - }, title: I18n.t(:button_delete) ) do |button| button.with_leading_visual_icon(icon: :trash) diff --git a/modules/auth_saml/config/locales/en.yml b/modules/auth_saml/config/locales/en.yml index 62be3e7ff8f1..d7f1e1ff879a 100644 --- a/modules/auth_saml/config/locales/en.yml +++ b/modules/auth_saml/config/locales/en.yml @@ -33,6 +33,7 @@ en: unmatched_private_key: "does not belong to the given certificate" saml: menu_title: SAML providers + delete_title: Delete SAML provider info: title: "SAML Protocol Configuration Parameters" description: > @@ -54,7 +55,7 @@ en: label_edit: Edit SAML identity provider %{name} label_uid: Internal user id label_mapping: Mapping - label_mapping_for: "Mapping for: %{attribute}" + label_requested_attribute_for: "Requested attribute for: %{attribute}" no_results_table: No SAML identity providers have been defined yet. plural: SAML identity providers diff --git a/modules/auth_saml/config/routes.rb b/modules/auth_saml/config/routes.rb index 926f2427ae98..2645187796fe 100644 --- a/modules/auth_saml/config/routes.rb +++ b/modules/auth_saml/config/routes.rb @@ -4,6 +4,7 @@ resources :providers do member do post :import_metadata + get :confirm_destroy end end end diff --git a/modules/auth_saml/spec/features/administration/saml_crud_spec.rb b/modules/auth_saml/spec/features/administration/saml_crud_spec.rb index 2df6ed5f2512..0efcc2763a04 100644 --- a/modules/auth_saml/spec/features/administration/saml_crud_spec.rb +++ b/modules/auth_saml/spec/features/administration/saml_crud_spec.rb @@ -33,6 +33,7 @@ :js, :with_cuprite do shared_let(:user) { create(:admin) } + let(:danger_zone) { DangerZone.new(page) } before do login_as(user) @@ -98,18 +99,31 @@ expect(provider.private_key.strip.gsub("\r\n", "\n")).to eq CertificateHelper.private_key.private_to_pem.strip expect(provider.idp_sso_service_url).to eq "https://example.com/sso" expect(provider.idp_slo_service_url).to eq "https://example.com/slo" - expect(provider.mapping_login).to eq "login\nmail" + expect(provider.mapping_login).to eq "login\r\nmail" expect(provider.mapping_mail).to eq "mail" expect(provider.mapping_firstname).to eq "myName" expect(provider.mapping_lastname).to eq "myLastName" expect(provider.mapping_uid).to eq "uid" expect(provider.authn_requests_signed).to be true - accept_confirm do - click_link_or_button "Delete" - end + click_link_or_button "Delete" + # Confirm the deletion + # Without confirmation, the button is disabled + expect(danger_zone).to be_disabled + + # With wrong confirmation, the button is disabled + danger_zone.confirm_with("foo") + + expect(danger_zone).to be_disabled + + # With correct confirmation, the button is enabled + # and the project can be deleted + danger_zone.confirm_with(provider.display_name) + expect(danger_zone).not_to be_disabled + danger_zone.danger_button.click expect(page).to have_text "No SAML providers configured yet." + expect { provider.reload }.to raise_error ActiveRecord::RecordNotFound end it "can import metadata from XML" do diff --git a/modules/auth_saml/spec/models/saml/provider_spec.rb b/modules/auth_saml/spec/models/saml/provider_spec.rb index 3c88b8624d84..c2fee27da4df 100644 --- a/modules/auth_saml/spec/models/saml/provider_spec.rb +++ b/modules/auth_saml/spec/models/saml/provider_spec.rb @@ -281,4 +281,16 @@ it { is_expected.to be false } end end + + describe "#destroy" do + let(:provider) { create(:saml_provider) } + + it "unsets the setting" do + Setting.omniauth_direct_login_provider = provider.slug + + provider.destroy! + + expect(Setting.omniauth_direct_login_provider).to be_blank + end + end end diff --git a/modules/openid_connect/app/assets/images/openid_connect/auth_provider-custom.png b/modules/openid_connect/app/assets/images/openid_connect/auth_provider-custom.png new file mode 100644 index 000000000000..a3f8d7d23978 Binary files /dev/null and b/modules/openid_connect/app/assets/images/openid_connect/auth_provider-custom.png differ diff --git a/modules/openid_connect/app/assets/images/openid_connect/auth_provider-heroku.png b/modules/openid_connect/app/assets/images/openid_connect/auth_provider-heroku.png deleted file mode 100644 index b500b38166c8..000000000000 Binary files a/modules/openid_connect/app/assets/images/openid_connect/auth_provider-heroku.png and /dev/null differ diff --git a/modules/openid_connect/app/components/openid_connect/providers/attribute_mapping_form.rb b/modules/openid_connect/app/components/openid_connect/providers/attribute_mapping_form.rb new file mode 100644 index 000000000000..1ed8eb37544a --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/attribute_mapping_form.rb @@ -0,0 +1,48 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class AttributeMappingForm < BaseForm + form do |f| + OpenIDConnect::Provider::MAPPABLE_ATTRIBUTES.each do |attr| + attribute_name = User.human_attribute_name(attr == :email ? :mail : attr) + + f.text_field( + name: :"mapping_#{attr}", + label: I18n.t("label_mapping_for", attribute: attribute_name), + caption: I18n.t("openid_connect.instructions.mapping_#{attr}"), + disabled: provider.seeded_from_env?, + required: false, + input_width: :medium + ) + end + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/base_form.rb b/modules/openid_connect/app/components/openid_connect/providers/base_form.rb new file mode 100644 index 000000000000..6a727f4162bd --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/base_form.rb @@ -0,0 +1,40 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class BaseForm < ApplicationForm + attr_reader :provider + + def initialize(provider:) + super() + @provider = provider + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/claims_form.rb b/modules/openid_connect/app/components/openid_connect/providers/claims_form.rb new file mode 100644 index 000000000000..02722ffc0d1f --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/claims_form.rb @@ -0,0 +1,66 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class ClaimsForm < BaseForm + include Redmine::I18n + + form do |f| + f.text_area( + name: :claims, + rows: 10, + label: I18n.t("activemodel.attributes.openid_connect/provider.claims"), + caption: link_translate( + "openid_connect.instructions.claims", + links: { + docs_url: ::OpenProject::Static::Links[:sysadmin_docs][:oidc_claims][:href] + } + ), + disabled: provider.seeded_from_env?, + required: false, + input_width: :large + ) + + f.text_field( + name: :acr_values, + label: I18n.t("activemodel.attributes.openid_connect/provider.acr_values"), + caption: link_translate( + "openid_connect.instructions.acr_values", + links: { + docs_url: ::OpenProject::Static::Links[:sysadmin_docs][:oidc_acr_values][:href] + } + ), + disabled: provider.seeded_from_env?, + required: false, + input_width: :large + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/client_details_form.rb b/modules/openid_connect/app/components/openid_connect/providers/client_details_form.rb new file mode 100644 index 000000000000..8c945ac679aa --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/client_details_form.rb @@ -0,0 +1,61 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class ClientDetailsForm < BaseForm + form do |f| + %i[client_id client_secret].each do |attr| + f.text_field( + name: attr, + label: I18n.t("activemodel.attributes.openid_connect/provider.#{attr}"), + caption: I18n.t("openid_connect.instructions.#{attr}"), + disabled: provider.seeded_from_env?, + required: true, + input_width: :large + ) + end + f.text_field( + name: :post_logout_redirect_uri, + label: I18n.t("activemodel.attributes.openid_connect/provider.post_logout_redirect_uri"), + caption: I18n.t("openid_connect.instructions.post_logout_redirect_uri"), + disabled: provider.seeded_from_env?, + required: false, + input_width: :large + ) + f.check_box( + name: :limit_self_registration, + label: I18n.t("activemodel.attributes.openid_connect/provider.limit_self_registration"), + caption: I18n.t("openid_connect.instructions.limit_self_registration"), + disabled: provider.seeded_from_env?, + required: true + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/metadata_details_form.rb b/modules/openid_connect/app/components/openid_connect/providers/metadata_details_form.rb new file mode 100644 index 000000000000..ec28d450750e --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/metadata_details_form.rb @@ -0,0 +1,54 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class MetadataDetailsForm < BaseForm + form do |f| + OpenIDConnect::Provider::DISCOVERABLE_ATTRIBUTES_ALL.each do |attr| + f.text_field( + name: attr, + label: I18n.t("activemodel.attributes.openid_connect/provider.#{attr}"), + disabled: provider.seeded_from_env?, + required: OpenIDConnect::Provider::DISCOVERABLE_ATTRIBUTES_MANDATORY.include?(attr), + input_width: :large + ) + end + + f.text_field( + name: :icon, + label: I18n.t("activemodel.attributes.openid_connect/provider.icon"), + caption: I18n.t("saml.instructions.icon"), + disabled: provider.seeded_from_env?, + required: false, + input_width: :large + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/metadata_options_form.rb b/modules/openid_connect/app/components/openid_connect/providers/metadata_options_form.rb new file mode 100644 index 000000000000..0e82e822386d --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/metadata_options_form.rb @@ -0,0 +1,58 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class MetadataOptionsForm < BaseForm + form do |f| + f.radio_button_group( + name: "metadata", + scope_name_to_model: false, + disabled: provider.seeded_from_env?, + visually_hide_label: true + ) do |radio_group| + radio_group.radio_button( + value: "none", + checked: @provider.metadata_url.blank?, + label: I18n.t("openid_connect.settings.metadata_none"), + disabled: provider.seeded_from_env?, + data: { "show-when-value-selected-target": "cause" } + ) + + radio_group.radio_button( + value: "url", + checked: @provider.metadata_url.present?, + label: I18n.t("openid_connect.settings.metadata_url"), + disabled: provider.seeded_from_env?, + data: { "show-when-value-selected-target": "cause" } + ) + end + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/metadata_url_form.rb b/modules/openid_connect/app/components/openid_connect/providers/metadata_url_form.rb new file mode 100644 index 000000000000..b18a185536cf --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/metadata_url_form.rb @@ -0,0 +1,44 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class MetadataUrlForm < BaseForm + form do |f| + f.text_field( + name: :metadata_url, + label: I18n.t("openid_connect.settings.endpoint_url"), + required: false, + disabled: provider.seeded_from_env?, + caption: I18n.t("openid_connect.instructions.endpoint_url"), + input_width: :xlarge + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/name_input_and_tenant_form.rb b/modules/openid_connect/app/components/openid_connect/providers/name_input_and_tenant_form.rb new file mode 100644 index 000000000000..16d73ccd3f15 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/name_input_and_tenant_form.rb @@ -0,0 +1,54 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class NameInputAndTenantForm < BaseForm + form do |f| + f.hidden(name: :oidc_provider, value: provider.oidc_provider) + f.text_field( + name: :display_name, + label: I18n.t("activemodel.attributes.openid_connect/provider.display_name"), + required: true, + disabled: provider.seeded_from_env?, + caption: I18n.t("openid_connect.instructions.display_name"), + input_width: :medium + ) + f.text_field( + name: :tenant, + label: I18n.t("activemodel.attributes.openid_connect/provider.tenant"), + required: true, + disabled: provider.seeded_from_env?, + value: provider.tenant || "common", + caption: I18n.t("openid_connect.instructions.tenant").html_safe, + input_width: :medium + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/name_input_form.rb b/modules/openid_connect/app/components/openid_connect/providers/name_input_form.rb new file mode 100644 index 000000000000..68728a4f46d3 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/name_input_form.rb @@ -0,0 +1,45 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class NameInputForm < BaseForm + form do |f| + f.hidden(name: :oidc_provider, value: provider.oidc_provider) + f.text_field( + name: :display_name, + label: I18n.t("activemodel.attributes.openid_connect/provider.display_name"), + required: true, + disabled: provider.seeded_from_env?, + caption: I18n.t("openid_connect.instructions.display_name"), + input_width: :medium + ) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/row_component.rb b/modules/openid_connect/app/components/openid_connect/providers/row_component.rb index 220b156153cd..0eae5bfaabcf 100644 --- a/modules/openid_connect/app/components/openid_connect/providers/row_component.rb +++ b/modules/openid_connect/app/components/openid_connect/providers/row_component.rb @@ -1,15 +1,36 @@ module OpenIDConnect module Providers - class RowComponent < ::RowComponent + class RowComponent < ::OpPrimer::BorderBoxRowComponent def provider model end + def column_args(column) + if column == :name + { style: "grid-column: span 3" } + else + super + end + end + def name - link_to( - provider.display_name || provider.name, - url_for(action: :edit, id: provider.id) - ) + link = render( + Primer::Beta::Link.new( + href: url_for(action: :edit, id: provider.id), + font_weight: :bold, + mr: 1 + ) + ) { provider.display_name } + if !provider.configured? + link.concat( + render(Primer::Beta::Label.new(scheme: :attention)) { I18n.t(:label_incomplete) } + ) + end + link + end + + def type + I18n.t("openid_connect.providers.#{provider.oidc_provider}.name") end def row_css_class @@ -19,28 +40,20 @@ def row_css_class ].join(" ") end - ### - def button_links - [edit_link, delete_link] + [] + end + + def users + provider.user_count.to_s end - def edit_link - link_to( - helpers.op_icon("icon icon-edit button--link"), - url_for(action: :edit, id: provider.id), - title: t(:button_edit) - ) + def creator + helpers.avatar(provider.creator, size: :mini, hide_name: false) end - def delete_link - link_to( - helpers.op_icon("icon icon-delete button--link"), - url_for(action: :destroy, id: provider.id), - method: :delete, - data: { confirm: I18n.t(:text_are_you_sure) }, - title: t(:button_delete) - ) + def created_at + helpers.format_time provider.created_at end end end diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.html.erb b/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.html.erb new file mode 100644 index 000000000000..5339d40ecdc1 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.html.erb @@ -0,0 +1,41 @@ +<%= + primer_form_with( + id: "openid-connect-providers-edit-form", + model: provider, + url:, + method: form_method, + data: { turbo: true, turbo_stream: true } + ) do |form| + flex_layout do |flex| + if @heading + flex.with_row do + render(Primer::Beta::Text.new(tag: :p, mb: 4, font_weight: :bold)) do + @heading + end + end + end + + if @banner + flex.with_row(mb: 2) do + icon = @banner_scheme == :warning ? :alert : :info + render(Primer::Alpha::Banner.new(scheme: @banner_scheme, icon:)) do + @banner + end + end + end + + flex.with_row do + render(@form_class.new(form, provider:)) + end + + flex.with_row(mt: 4) do + render(OpenIDConnect::Providers::SubmitOrCancelForm.new( + form, + provider:, + submit_button_options: { label: button_label }, + cancel_button_options: { hidden: edit_mode } + )) + end + end + end +%> diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.rb b/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.rb new file mode 100644 index 000000000000..99a83b3788a0 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/form_component.rb @@ -0,0 +1,88 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect::Providers::Sections + class FormComponent < ::Saml::Providers::Sections::SectionComponent + attr_reader :edit_state, :next_edit_state, :edit_mode + + def initialize(provider, + edit_state:, + form_class:, + heading:, + banner: nil, + banner_scheme: :default, + next_edit_state: nil, + edit_mode: nil) + super(provider) + + @edit_state = edit_state + @next_edit_state = next_edit_state + @edit_mode = edit_mode + @form_class = form_class + @heading = heading + @banner = banner + @banner_scheme = banner_scheme + end + + def url + if provider.new_record? + openid_connect_providers_path(**form_url_params) + else + openid_connect_provider_path(provider, **form_url_params) + end + end + + def form_url_params + if edit_mode + { edit_state:, edit_mode:, next_edit_state: } + else + { edit_state: } + end + end + + def form_method + if provider.new_record? + :post + else + :put + end + end + + def button_label + return I18n.t(:button_save) unless edit_mode + + if next_edit_state.nil? + I18n.t(:button_finish_setup) + else + I18n.t(:button_continue) + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.html.erb b/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.html.erb new file mode 100644 index 000000000000..c1d86a4b6b56 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.html.erb @@ -0,0 +1,56 @@ +<%= + primer_form_with( + model: provider, + id: "openid-connect-providers-edit-form", + url:, + data: { + controller: "show-when-value-selected", + turbo: true, + turbo_stream: true, + }, + method: :put, + ) do |form| + flex_layout do |flex| + unless edit_mode + flex.with_row do + render(Primer::Alpha::Banner.new(mb: 2, scheme: :warning, icon: :alert)) do + t("openid_connect.providers.section_texts.metadata_form_banner") + end + end + end + + flex.with_row do + render(Primer::Beta::Text.new(tag: :p, font_weight: :bold)) { + I18n.t("openid_connect.providers.label_metadata") + } + end + + flex.with_row do + render(Primer::Beta::Text.new(tag: :p)) { + I18n.t("openid_connect.providers.section_texts.metadata_form_description") + } + end + + flex.with_row do + render(OpenIDConnect::Providers::MetadataOptionsForm.new(form, provider:)) + end + + flex.with_row( + mt: 2, + hidden: provider.metadata_url.blank?, + data: { value: :url, 'show-when-value-selected-target': "effect" } + ) do + render(OpenIDConnect::Providers::MetadataUrlForm.new(form, provider:)) + end + + flex.with_row(mt: 4) do + render(OpenIDConnect::Providers::SubmitOrCancelForm.new( + form, + provider:, + submit_button_options: { label: button_label }, + cancel_button_options: { hidden: edit_mode }, + state: :metadata)) + end + end + end +%> diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.rb b/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.rb new file mode 100644 index 000000000000..b8ea2f88a11e --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/metadata_form_component.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +# +module OpenIDConnect::Providers::Sections + class MetadataFormComponent < FormComponent + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.html.erb b/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.html.erb new file mode 100644 index 000000000000..f0a6c588f4fc --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.html.erb @@ -0,0 +1,45 @@ +<%= + grid_layout('op-saml-view-row', + tag: :div, + test_selector: "openid_connect_provider_#{@target_state}", + align_items: :center) do |grid| + grid.with_area(:title, mr: 3) do + concat render(Primer::Beta::Text.new(font_weight: :bold)) { @heading } + if @label + concat render(Primer::Beta::Label.new(scheme: @label_scheme, ml: 1)) { @label } + end + end + + grid.with_area(:description) do + render(Primer::Beta::Text.new(tag: :p, font_size: :small, color: :subtle)) do + @description + end + end + + disabled = provider.seeded_from_env? + if show_edit? + grid.with_area(:action) do + flex_layout(justify_content: :flex_end) do |icons_container| + if @action + icons_container.with_column do + render(@action) + end + end + + icons_container.with_column do + render( + Primer::Beta::IconButton.new( + icon: disabled ? :eye : :pencil, + tag: :a, + scheme: :invisible, + href: url_for(action: :edit, id: provider.id, edit_state: @target_state), + data: { turbo: true, turbo_stream: true }, + aria: { label: I18n.t(disabled ? :label_show : :label_edit) } + ) + ) + end + end + end + end + end +%> diff --git a/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.rb b/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.rb new file mode 100644 index 000000000000..630b15558b5f --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/sections/show_component.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +# +module OpenIDConnect::Providers::Sections + class ShowComponent < ::Saml::Providers::Sections::SectionComponent + def initialize(provider, view_mode:, target_state:, + heading:, description:, action: nil, label: nil, label_scheme: :attention) + super(provider) + + @target_state = target_state + @view_mode = view_mode + @heading = heading + @description = description + @label = label + @label_scheme = label_scheme + @action = action + end + + def show_edit? + provider.persisted? + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/submit_or_cancel_form.rb b/modules/openid_connect/app/components/openid_connect/providers/submit_or_cancel_form.rb new file mode 100644 index 000000000000..d04799752bb6 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/submit_or_cancel_form.rb @@ -0,0 +1,85 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class SubmitOrCancelForm < ApplicationForm + form do |f| + if @state + f.hidden( + name: :edit_state, + scope_name_to_model: false, + value: @state + ) + end + + f.group(layout: :horizontal) do |button_group| + button_group.submit(**@submit_button_options) unless @provider.seeded_from_env? + button_group.button(**@cancel_button_options) unless @cancel_button_options[:hidden] + end + end + + def initialize(provider:, state: nil, submit_button_options: {}, cancel_button_options: {}) + super() + @state = state + @provider = provider + @submit_button_options = default_submit_button_options.merge(submit_button_options) + @cancel_button_options = default_cancel_button_options.merge(cancel_button_options) + end + + private + + def default_submit_button_options + { + name: :submit, + scheme: :primary, + label: I18n.t(:button_continue), + disabled: false + } + end + + def default_cancel_button_options + { + name: :cancel, + scheme: :default, + tag: :a, + href: back_link, + label: I18n.t("button_cancel") + } + end + + def back_link + if @provider.new_record? + OpenProject::StaticRouting::StaticRouter.new.url_helpers.openid_connect_providers_path + else + OpenProject::StaticRouting::StaticRouter.new.url_helpers.edit_openid_connect_provider_path(@provider) + end + end + end + end +end diff --git a/modules/openid_connect/app/components/openid_connect/providers/table_component.rb b/modules/openid_connect/app/components/openid_connect/providers/table_component.rb index 8b4225548255..9f23c1b974dc 100644 --- a/modules/openid_connect/app/components/openid_connect/providers/table_component.rb +++ b/modules/openid_connect/app/components/openid_connect/providers/table_component.rb @@ -1,12 +1,24 @@ module OpenIDConnect module Providers - class TableComponent < ::TableComponent - columns :name + class TableComponent < ::OpPrimer::BorderBoxTableComponent + columns :name, :type, :users, :creator, :created_at def initial_sort %i[id asc] end + def header_args(column) + if column == :name + { style: "grid-column: span 3" } + else + super + end + end + + def has_actions? + false + end + def sortable? false end @@ -17,9 +29,29 @@ def empty_row_message def headers [ - ["name", { caption: I18n.t("attributes.name") }] + [:name, { caption: I18n.t("attributes.name") }], + [:type, { caption: I18n.t("attributes.type") }], + [:users, { caption: I18n.t(:label_user_plural) }], + [:creator, { caption: I18n.t("js.label_created_by") }], + [:created_at, { caption: OpenIDConnect::Provider.human_attribute_name(:created_at) }] ] end + + def blank_title + I18n.t("openid_connect.providers.label_empty_title") + end + + def blank_description + I18n.t("openid_connect.providers.label_empty_description") + end + + def row_class + ::OpenIDConnect::Providers::RowComponent + end + + def blank_icon + :key + end end end end diff --git a/modules/openid_connect/app/components/openid_connect/providers/view_component.html.erb b/modules/openid_connect/app/components/openid_connect/providers/view_component.html.erb new file mode 100644 index 000000000000..585282184884 --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/view_component.html.erb @@ -0,0 +1,255 @@ +<%= component_wrapper do %> + <% if provider.seeded_from_env? %> + <%= + render(Primer::Alpha::Banner.new(mb: 2, scheme: :default, icon: :bell, spacious: true)) do + I18n.t("openid_connect.providers.seeded_from_env") + end + %> + <% end %> + + <%= render(border_box_container) do |component| + component.with_header(color: :muted) do + render(Primer::Beta::Text.new(font_weight: :bold)) { I18n.t(:label_basic_details) } + end + + case provider.oidc_provider + when 'google' + component.with_row(scheme: :default) do + basic_details_component = if edit_state == :name + OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::NameInputForm, + edit_state:, + next_edit_state: :client_details, + edit_mode:, + heading: nil + ) + else + OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + view_mode:, + target_state: :name, + heading: t("activemodel.attributes.openid_connect/provider.display_name"), + description: t("openid_connect.providers.section_texts.display_name") + ) + end + render(basic_details_component) + end + + component.with_row(scheme: :default) do + if edit_state == :client_details + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::ClientDetailsForm, + edit_state:, + edit_mode:, + heading: nil, + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :client_details, + view_mode:, + heading: t("openid_connect.providers.label_client_details"), + label: provider.advanced_details_configured? ? t(:label_completed) : t(:label_not_configured), + label_scheme: provider.advanced_details_configured? ? :success : :secondary, + description: t("openid_connect.providers.client_details_description") + )) + end + end + when 'microsoft_entra' + component.with_row(scheme: :default) do + basic_details_component = if edit_state == :name + OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::NameInputAndTenantForm, + edit_state:, + next_edit_state: :client_details, + edit_mode:, + heading: nil + ) + else + OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + view_mode:, + target_state: :name, + heading: t("activemodel.attributes.openid_connect/provider.display_name"), + description: t("openid_connect.providers.section_texts.display_name") + ) + end + render(basic_details_component) + end + + component.with_row(scheme: :default) do + if edit_state == :client_details + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::ClientDetailsForm, + edit_state:, + edit_mode:, + heading: nil + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :client_details, + view_mode:, + heading: t("openid_connect.providers.label_client_details"), + label: provider.advanced_details_configured? ? t(:label_completed) : t(:label_not_configured), + label_scheme: provider.advanced_details_configured? ? :success : :secondary, + description: t("openid_connect.providers.client_details_description") + )) + end + end + else # custom + component.with_row(scheme: :default) do + basic_details_component = + if edit_state == :name + OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::NameInputForm, + edit_state:, + next_edit_state: :metadata, + edit_mode:, + heading: nil + ) + else + OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + view_mode:, + target_state: :name, + heading: t("activemodel.attributes.openid_connect/provider.display_name"), + description: t("openid_connect.providers.section_texts.display_name") + ) + end + render(basic_details_component) + end + + component.with_row(scheme: :neutral, color: :muted) do + render(Primer::Beta::Text.new(font_weight: :bold)) { I18n.t('openid_connect.providers.label_automatic_configuration') } + end + + component.with_row(scheme: :default) do + if edit_state == :metadata + render(OpenIDConnect::Providers::Sections::MetadataFormComponent.new( + provider, + form_class: nil, + heading: nil, + edit_state:, + edit_mode:, + next_edit_state: :metadata_details + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :metadata, + view_mode:, + heading: t("openid_connect.providers.label_metadata"), + description: t("openid_connect.providers.section_texts.metadata"), + label: provider.metadata_url.present? ? t(:label_completed) : t(:label_not_configured), + label_scheme: provider.metadata_url.present? ? :success : :secondary + )) + end + end + + component.with_row(scheme: :neutral, color: :muted) do + render(Primer::Beta::Text.new(font_weight: :bold)) { I18n.t('openid_connect.providers.label_advanced_configuration') } + end + + component.with_row(scheme: :default) do + if edit_state == :metadata_details + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::MetadataDetailsForm, + edit_state:, + next_edit_state: :client_details, + edit_mode:, + banner: provider.metadata_url.present? ? t("openid_connect.providers.section_texts.configuration_metadata") : nil, + banner_scheme: :default, + heading: nil + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :metadata_details, + view_mode:, + heading: t("openid_connect.providers.label_configuration_details"), + description: t("openid_connect.providers.section_texts.configuration"), + label: provider.metadata_configured? ? t(:label_completed) : t(:label_not_configured), + label_scheme: provider.metadata_configured? ? :success : :secondary + )) + end + end + + component.with_row(scheme: :default) do + if edit_state == :client_details + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::ClientDetailsForm, + edit_state:, + next_edit_state: :attribute_mapping, + edit_mode:, + heading: nil + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :client_details, + view_mode:, + heading: t("openid_connect.providers.label_client_details"), + description: t("openid_connect.providers.client_details_description"), + label: provider.advanced_details_configured? ? t(:label_completed) : t(:label_not_configured), + label_scheme: provider.advanced_details_configured? ? :success : :secondary + )) + end + end + + component.with_row(scheme: :neutral, color: :muted) do + render(Primer::Beta::Text.new(font_weight: :bold)) { I18n.t('openid_connect.providers.label_optional_configuration') } + end + + component.with_row(scheme: :default) do + if edit_state == :attribute_mapping + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::AttributeMappingForm, + edit_state:, + next_edit_state: :claims, + edit_mode:, + heading: nil + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :attribute_mapping, + view_mode:, + heading: t("openid_connect.providers.label_attribute_mapping"), + description: t("openid_connect.providers.section_texts.attribute_mapping"), + label: provider.mapping_configured? ? t(:label_completed) : nil, + label_scheme: provider.mapping_configured? ? :success : :secondary + )) + end + end + + component.with_row(scheme: :default) do + if edit_state == :claims + render(OpenIDConnect::Providers::Sections::FormComponent.new( + provider, + form_class: OpenIDConnect::Providers::ClaimsForm, + edit_state:, + edit_mode:, + heading: nil + )) + else + render(OpenIDConnect::Providers::Sections::ShowComponent.new( + provider, + target_state: :claims, + view_mode:, + heading: t("activemodel.attributes.openid_connect/provider.claims"), + description: t("openid_connect.providers.section_texts.claims") + )) + end + end + end + end %> +<% end %> diff --git a/modules/openid_connect/app/components/openid_connect/providers/view_component.rb b/modules/openid_connect/app/components/openid_connect/providers/view_component.rb new file mode 100644 index 000000000000..400203eb270c --- /dev/null +++ b/modules/openid_connect/app/components/openid_connect/providers/view_component.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +# +module OpenIDConnect + module Providers + class ViewComponent < ApplicationComponent + include OpTurbo::Streamable + include OpPrimer::ComponentHelpers + + options :view_mode, :edit_state, :edit_mode + + alias_method :provider, :model + end + end +end diff --git a/modules/openid_connect/app/contracts/openid_connect/providers/base_contract.rb b/modules/openid_connect/app/contracts/openid_connect/providers/base_contract.rb new file mode 100644 index 000000000000..e61b68fd0d40 --- /dev/null +++ b/modules/openid_connect/app/contracts/openid_connect/providers/base_contract.rb @@ -0,0 +1,82 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +module OpenIDConnect + module Providers + class BaseContract < ModelContract + include RequiresAdminGuard + + def self.model + OpenIDConnect::Provider + end + + attribute :display_name + attribute :oidc_provider + validates :oidc_provider, + presence: true, + inclusion: { in: OpenIDConnect::Provider::OIDC_PROVIDERS } + attribute :slug + attribute :options + attribute :limit_self_registration + + attribute :claims + validate :claims_are_json + + attribute :acr_values + + %i[metadata_url authorization_endpoint userinfo_endpoint token_endpoint end_session_endpoint jwks_uri].each do |attr| + attribute attr + validates attr, + url: { allow_blank: true, allow_nil: true, schemes: %w[http https] }, + if: -> { model.public_send(:"#{attr}_changed?") && !path_attribute?(model.public_send(attr)) } + end + + attribute :post_logout_redirect_uri + validates :post_logout_redirect_uri, + url: { allow_blank: true, allow_nil: true, schemes: %w[http https] }, + if: -> { model.post_logout_redirect_uri_changed? } + + OpenIDConnect::Provider::MAPPABLE_ATTRIBUTES.each do |attr| + attribute :"mapping_#{attr}" + end + + private + + def path_attribute?(attr) + attr.blank? || attr.start_with?("/") + end + + def claims_are_json + return if claims.blank? + + JSON.parse(claims) + rescue JSON::ParserError + errors.add(:claims, :not_json) + end + end + end +end diff --git a/modules/openid_connect/app/contracts/openid_connect/providers/create_contract.rb b/modules/openid_connect/app/contracts/openid_connect/providers/create_contract.rb new file mode 100644 index 000000000000..3f6e5232e93d --- /dev/null +++ b/modules/openid_connect/app/contracts/openid_connect/providers/create_contract.rb @@ -0,0 +1,34 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +module OpenIDConnect + module Providers + class CreateContract < BaseContract + attribute :type + end + end +end diff --git a/modules/openid_connect/app/contracts/openid_connect/providers/delete_contract.rb b/modules/openid_connect/app/contracts/openid_connect/providers/delete_contract.rb new file mode 100644 index 000000000000..89a44cf5904d --- /dev/null +++ b/modules/openid_connect/app/contracts/openid_connect/providers/delete_contract.rb @@ -0,0 +1,35 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class DeleteContract < ::DeleteContract + delete_permission :admin + end + end +end diff --git a/modules/openid_connect/app/contracts/openid_connect/providers/update_contract.rb b/modules/openid_connect/app/contracts/openid_connect/providers/update_contract.rb new file mode 100644 index 000000000000..4b6ec6a47baa --- /dev/null +++ b/modules/openid_connect/app/contracts/openid_connect/providers/update_contract.rb @@ -0,0 +1,34 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class UpdateContract < BaseContract + end + end +end diff --git a/modules/openid_connect/app/controllers/openid_connect/providers_controller.rb b/modules/openid_connect/app/controllers/openid_connect/providers_controller.rb index ac436d6418fe..e2477b25b1ef 100644 --- a/modules/openid_connect/app/controllers/openid_connect/providers_controller.rb +++ b/modules/openid_connect/app/controllers/openid_connect/providers_controller.rb @@ -1,47 +1,70 @@ module OpenIDConnect class ProvidersController < ::ApplicationController + include OpTurbo::ComponentStream + layout "admin" menu_item :plugin_openid_connect before_action :require_admin before_action :check_ee - before_action :find_provider, only: %i[edit update destroy] + before_action :find_provider, only: %i[edit update confirm_destroy destroy] + before_action :set_edit_state, only: %i[create edit update] - def index; end + def index + @providers = ::OpenIDConnect::Provider.all + end def new - if openid_connect_providers_available_for_configure.none? - redirect_to action: :index - else - @provider = ::OpenIDConnect::Provider.initialize_with({ use_graph_api: true }) - end + oidc_provider = case params[:oidc_provider] + when "google" + "google" + when "microsoft_entra" + "microsoft_entra" + else + "custom" + end + @provider = OpenIDConnect::Provider.new(oidc_provider:) end def create - @provider = ::OpenIDConnect::Provider.initialize_with(create_params) + create_params = params + .require(:openid_connect_provider) + .permit(:display_name, :oidc_provider, :tenant) + + call = ::OpenIDConnect::Providers::CreateService + .new(user: User.current) + .call(**create_params) - if @provider.save - flash[:notice] = I18n.t(:notice_successful_create) - redirect_to action: :index + @provider = call.result + + if call.success? + successful_save_response else - render action: :new + failed_save_response(:new) end end def edit; end def update - @provider = ::OpenIDConnect::Provider.initialize_with( - update_params.merge("name" => params[:id]) - ) - if @provider.save - flash[:notice] = I18n.t(:notice_successful_update) - redirect_to action: :index + update_params = params + .require(:openid_connect_provider) + .permit(:display_name, :oidc_provider, :limit_self_registration, + *OpenIDConnect::Provider.stored_attributes[:options]) + call = OpenIDConnect::Providers::UpdateService + .new(model: @provider, user: User.current) + .call(update_params) + + if call.success? + successful_save_response else - render action: :edit + @provider = call.result + failed_save_response(edit) end end + def confirm_destroy; end + def destroy if @provider.destroy flash[:notice] = I18n.t(:notice_successful_delete) @@ -61,39 +84,68 @@ def check_ee end end - def create_params - params - .require(:openid_connect_provider) - .permit(:name, :display_name, :identifier, :secret, :limit_self_registration, :tenant, :use_graph_api) + def find_provider + @provider = OpenIDConnect::Provider.find(params[:id]) + rescue ActiveRecord::RecordNotFound + render_404 end - def update_params - params - .require(:openid_connect_provider) - .permit(:display_name, :identifier, :secret, :limit_self_registration, :tenant, :use_graph_api) - end + def default_breadcrumb; end - def find_provider - @provider = providers.find { |provider| provider.id.to_s == params[:id].to_s } - if @provider.nil? - render_404 - end + def show_local_breadcrumb + false end - def providers - @providers ||= OpenProject::OpenIDConnect.providers + def successful_save_response + respond_to do |format| + format.turbo_stream do + update_via_turbo_stream( + component: OpenIDConnect::Providers::ViewComponent.new( + @provider, + edit_mode: @edit_mode, + edit_state: @next_edit_state, + view_mode: :show + ) + ) + render turbo_stream: turbo_streams + end + format.html do + flash[:notice] = I18n.t(:notice_successful_update) unless @edit_mode + if @edit_mode && @next_edit_state + redirect_to edit_openid_connect_provider_path(@provider, + anchor: "openid-connect-providers-edit-form", + edit_mode: true, + edit_state: @next_edit_state) + else + redirect_to openid_connect_provider_path(@provider) + end + end + end end - helper_method :providers - def openid_connect_providers_available_for_configure - Provider::ALLOWED_TYPES.dup - providers.map(&:name) + def failed_save_response(action_to_render) + respond_to do |format| + format.turbo_stream do + update_via_turbo_stream( + component: OpenIDConnect::Providers::ViewComponent.new( + @provider, + edit_mode: @edit_mode, + edit_state: @edit_state, + view_mode: :show + ) + ) + render turbo_stream: turbo_streams + end + format.html do + render action: action_to_render + end + end end - helper_method :openid_connect_providers_available_for_configure - - def default_breadcrumb; end - def show_local_breadcrumb - false + def set_edit_state + @edit_state = params[:edit_state].to_sym if params.key?(:edit_state) + @edit_mode = ActiveRecord::Type::Boolean.new.cast(params[:edit_mode]) + @next_edit_state = params[:next_edit_state].to_sym if params.key?(:next_edit_state) end end end diff --git a/modules/openid_connect/app/models/openid_connect/provider.rb b/modules/openid_connect/app/models/openid_connect/provider.rb index df19926d187e..18fa645b5150 100644 --- a/modules/openid_connect/app/models/openid_connect/provider.rb +++ b/modules/openid_connect/app/models/openid_connect/provider.rb @@ -1,131 +1,91 @@ module OpenIDConnect - class Provider - ALLOWED_TYPES = ["azure", "google"].freeze + class Provider < AuthProvider + include HashBuilder - class NewProvider < OpenStruct - def to_h - @table.compact - end - end - - extend ActiveModel::Naming - include ActiveModel::Conversion - extend ActiveModel::Translation - attr_reader :errors, :omniauth_provider + OIDC_PROVIDERS = %w[google microsoft_entra custom].freeze + DISCOVERABLE_ATTRIBUTES_MANDATORY = %i[authorization_endpoint + userinfo_endpoint + token_endpoint + issuer].freeze + DISCOVERABLE_ATTRIBUTES_OPTIONAL = %i[end_session_endpoint jwks_uri].freeze + DISCOVERABLE_ATTRIBUTES_ALL = DISCOVERABLE_ATTRIBUTES_MANDATORY + DISCOVERABLE_ATTRIBUTES_OPTIONAL - attr_accessor :display_name + MAPPABLE_ATTRIBUTES = %i[login email first_name last_name admin].freeze - delegate :name, to: :omniauth_provider, allow_nil: true - delegate :identifier, to: :omniauth_provider, allow_nil: true - delegate :secret, to: :omniauth_provider, allow_nil: true - delegate :scope, to: :omniauth_provider, allow_nil: true - delegate :to_h, to: :omniauth_provider, allow_nil: false + store_attribute :options, :oidc_provider, :string + store_attribute :options, :metadata_url, :string + store_attribute :options, :icon, :string - delegate :tenant, to: :omniauth_provider, allow_nil: false - delegate :configuration, to: :omniauth_provider, allow_nil: true - delegate :use_graph_api, to: :omniauth_provider, allow_nil: false - - def initialize(omniauth_provider) - @omniauth_provider = omniauth_provider - @errors = ActiveModel::Errors.new(self) - @display_name = omniauth_provider.to_h[:display_name] + DISCOVERABLE_ATTRIBUTES_ALL.each do |attribute| + store_attribute :options, attribute, :string end - - def self.initialize_with(params) - normalized = normalized_params(params) - - # We want all providers to be limited by the self registration setting by default - normalized.reverse_merge!(limit_self_registration: true) - - new(NewProvider.new(normalized)) + MAPPABLE_ATTRIBUTES.each do |attribute| + store_attribute :options, "mapping_#{attribute}", :string end - def self.normalized_params(params) - transformed = %i[limit_self_registration use_graph_api].filter_map do |key| - if params.key?(key) - value = params[key] - [key, ActiveRecord::Type::Boolean.new.deserialize(value)] - end - end + store_attribute :options, :client_id, :string + store_attribute :options, :client_secret, :string + store_attribute :options, :post_logout_redirect_uri, :string + store_attribute :options, :tenant, :string + store_attribute :options, :host, :string + store_attribute :options, :scheme, :string + store_attribute :options, :port, :string - params.merge(transformed.to_h) - end + store_attribute :options, :claims, :string + store_attribute :options, :acr_values, :string - def new_record? - !persisted? - end + # azure specific option + store_attribute :options, :use_graph_api, :boolean - def persisted? - omniauth_provider.is_a?(OmniAuth::OpenIDConnect::Provider) - end + def self.slug_fragment = "oidc" - def limit_self_registration - (configuration || {}).fetch(:limit_self_registration, true) + def human_type + "OpenID Connect" end - alias_method :limit_self_registration?, :limit_self_registration - - def to_h - return {} if omniauth_provider.nil? - - omniauth_provider.to_h + def seeded_from_env? + (Setting.seed_oidc_provider || {}).key?(slug) end - def id - return nil unless persisted? - - name + def advanced_details_configured? + client_id.present? && client_secret.present? end - def valid? - @errors.add(:name, :invalid) unless type_allowed?(name) - @errors.add(:identifier, :blank) if identifier.blank? - @errors.add(:secret, :blank) if secret.blank? - @errors.none? - end + def metadata_configured? + return true if google? || entra_id? - ## - # Checks if the provider with the given name is of an allowed type. - # - # Types can be followed by a period and arbitrary names to add several - # providers of the same type. E.g. 'azure', 'azure.dep1', 'azure.dep2'. - def type_allowed?(name) - ALLOWED_TYPES.any? { |allowed| name =~ /\A#{allowed}(\..+)?\Z/ } + DISCOVERABLE_ATTRIBUTES_MANDATORY.all? do |mandatory_attribute| + public_send(mandatory_attribute).present? + end end - def save - return false unless valid? - - Setting.plugin_openproject_openid_connect = setting_with_provider - - true + def mapping_configured? + MAPPABLE_ATTRIBUTES.any? do |mandatory_attribute| + public_send(:"mapping_#{mandatory_attribute}").present? + end end - def destroy - Setting.plugin_openproject_openid_connect = setting_without_provider - - true + def google? + oidc_provider == "google" end - def setting_with_provider - setting.deep_merge "providers" => { name => to_h.stringify_keys } + def entra_id? + oidc_provider == "microsoft_entra" end - def setting_without_provider - setting.tap do |s| - s["providers"].delete name - end + def configured? + display_name.present? && advanced_details_configured? && metadata_configured? end - def setting - Hash(Setting.plugin_openproject_openid_connect).tap do |h| - h["providers"] ||= Hash.new + def icon + case oidc_provider + when "google" + "openid_connect/auth_provider-google.png" + when "microsoft_entra" + "openid_connect/auth_provider-azure.png" + else + super.presence || "openid_connect/auth_provider-custom.png" end end - - # https://api.rubyonrails.org/classes/ActiveModel/Errors.html - def read_attribute_for_validation(attr) - send(attr) - end end end diff --git a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb new file mode 100644 index 000000000000..23e59aa43a8e --- /dev/null +++ b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb @@ -0,0 +1,49 @@ +module OpenIDConnect + module Provider::HashBuilder + def attribute_map + OpenIDConnect::Provider::MAPPABLE_ATTRIBUTES + .index_with { |attr| public_send(:"mapping_#{attr}") } + .compact_blank + end + + def to_h # rubocop:disable Metrics/AbcSize + { + name: slug, + oidc_provider:, + icon:, + host:, + scheme:, + port:, + display_name:, + userinfo_endpoint:, + authorization_endpoint:, + jwks_uri:, + issuer:, + identifier: client_id, + secret: client_secret, + token_endpoint:, + limit_self_registration:, + end_session_endpoint:, + attribute_map: + }.merge(attribute_map) + .merge(provider_specific_to_h) + .compact_blank + end + + def provider_specific_to_h + case oidc_provider + when "google" + { + client_auth_method: :not_basic, + send_nonce: false + } + when "microsoft_entra" + { + use_graph_api: + } + else + {} + end + end + end +end diff --git a/modules/openid_connect/app/seeders/env_data/openid_connect/provider_seeder.rb b/modules/openid_connect/app/seeders/env_data/openid_connect/provider_seeder.rb new file mode 100644 index 000000000000..732ff3bc3e48 --- /dev/null +++ b/modules/openid_connect/app/seeders/env_data/openid_connect/provider_seeder.rb @@ -0,0 +1,52 @@ +#-- copyright + +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module EnvData + module OpenIDConnect + class ProviderSeeder < Seeder + def seed_data! + Setting.seed_oidc_provider.each do |name, configuration| + print_status " ↳ Creating or Updating OpenID provider #{name}" do + call = ::OpenIDConnect::SyncService.new(name, configuration.merge(name:)).call + + if call.success + print_status " - #{call.message}" + else + raise call.message + end + end + end + end + + def applicable? + Setting.seed_oidc_provider.present? + end + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb new file mode 100644 index 000000000000..5ee45847c192 --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb @@ -0,0 +1,111 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + class ConfigurationMapper + attr_reader :configuration + + def initialize(configuration) + @configuration = configuration + end + + def call! # rubocop:disable Metrics/AbcSize + options = configuration.deep_stringify_keys + + { + "slug" => options["name"], + "display_name" => options["display_name"].presence || "OpenID Connect", + "oidc_provider" => oidc_provider(options), + "client_id" => options["identifier"], + "client_secret" => options["secret"], + "issuer" => options["issuer"], + "host" => options["host"], + "port" => options["port"], + "scheme" => options["scheme"], + "claims" => options["claims"], + "tenant" => options["tenant"], + "post_logout_redirect_uri" => options["post_logout_redirect_uri"], + "limit_self_registration" => options["limit_self_registration"], + "use_graph_api" => options["use_graph_api"], + "acr_values" => options["acr_values"], + "authorization_endpoint" => extract_url(options, "authorization_endpoint"), + "token_endpoint" => extract_url(options, "token_endpoint"), + "userinfo_endpoint" => extract_url(options, "userinfo_endpoint"), + "end_session_endpoint" => extract_url(options, "end_session_endpoint"), + "jwks_uri" => extract_url(options, "jwks_uri"), + "mapping_login" => options.dig("attribute_map", "login"), + "mapping_mail" => options.dig("attribute_map", "email"), + "mapping_firstname" => options.dig("attribute_map", "first_name"), + "mapping_lastname" => options.dig("attribute_map", "last_name"), + "mapping_admin" => options.dig("attribute_map", "admin") + }.compact + end + + private + + def oidc_provider(options) + case options["name"] + when /azure/ + "microsoft_entra" + when /google/ + "google" + else + "custom" + end + end + + def extract_url(options, key) + value = options[key] + return value if value.blank? || value.start_with?("http") + + unless value.start_with?("/") + raise ArgumentError.new("Provided #{key} '#{value}' needs to be http(s) URL or path starting with a slash.") + end + + # Allow returning the value as is for built-in providers + # with fixed host names + if oidc_provider(options) != "custom" + return value + end + + URI + .join(base_url(options), value) + .to_s + end + + def base_url(options) + raise ArgumentError.new("Missing host in configuration") unless options["host"] + + URI::Generic.build( + host: options["host"], + port: options["port"], + scheme: options["scheme"] || "https" + ).to_s + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/providers/create_service.rb b/modules/openid_connect/app/services/openid_connect/providers/create_service.rb new file mode 100644 index 000000000000..734fd5378978 --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/providers/create_service.rb @@ -0,0 +1,34 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class CreateService < BaseServices::Create + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/providers/delete_service.rb b/modules/openid_connect/app/services/openid_connect/providers/delete_service.rb new file mode 100644 index 000000000000..11416b30fa3b --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/providers/delete_service.rb @@ -0,0 +1,33 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ +module OpenIDConnect + module Providers + class DeleteService < BaseServices::Delete + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/providers/set_attributes_service.rb b/modules/openid_connect/app/services/openid_connect/providers/set_attributes_service.rb new file mode 100644 index 000000000000..e0b2cbec2417 --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/providers/set_attributes_service.rb @@ -0,0 +1,65 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class SetAttributesService < BaseServices::SetAttributes + private + + def set_default_attributes(*) # rubocop:disable Metrics/AbcSize + model.change_by_system do + model.issuer ||= OpenProject::StaticRouting::StaticUrlHelpers.new.root_url + model.creator ||= user + model.slug ||= "#{model.class.slug_fragment}-#{model.display_name.to_url}" if model.display_name + end + end + + def set_attributes(params) + update_options(params.delete(:options)) if params.key?(:options) + + super + + update_available_state + end + + def update_available_state + model.change_by_system do + model.available = model.configured? + end + end + + def update_options(options) + options + .select { |key, _| Saml::Provider.stored_attributes[:options].include?(key.to_s) } + .each do |key, value| + model.public_send(:"#{key}=", value) + end + end + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/providers/update_service.rb b/modules/openid_connect/app/services/openid_connect/providers/update_service.rb new file mode 100644 index 000000000000..3297b5109b2b --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/providers/update_service.rb @@ -0,0 +1,100 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + module Providers + class UpdateService < BaseServices::Update + class AttributesContract < Dry::Validation::Contract + params do + OpenIDConnect::Provider::DISCOVERABLE_ATTRIBUTES_MANDATORY.each do |attribute| + required(attribute).filled(:string) + end + OpenIDConnect::Provider::DISCOVERABLE_ATTRIBUTES_OPTIONAL.each do |attribute| + optional(attribute).filled(:string) + end + end + end + + def after_validate(_params, call) + model = call.result + metadata_url = get_metadata_url(model) + return call if metadata_url.blank? + + extract_metadata(call, metadata_url, model) + end + + def extract_metadata(call, metadata_url, model) # rubocop:disable Metrics/AbcSize + case (response = OpenProject.httpx.get(metadata_url)) + in {status: 200..299} + json = begin + response.json + rescue HTTPX::Error + call.errors.add(:metadata_url, :response_is_not_json) + call.success = false + end + result = AttributesContract.new.call(json) + if result.errors.empty? + model.assign_attributes(result.to_h) + # Microsoft responds with + # "https://login.microsoftonline.com/{tenantid}/v2.0" in issuer field for whatever reason... + if model.oidc_provider == "microsoft_entra" + model.issuer = "https://login.microsoftonline.com/#{model.tenant}/v2.0" + end + else + call.errors.add(:metadata_url, + :response_misses_required_attributes, + missing_attributes: result.errors.attribute_names.join(", ")) + call.success = false + end + in {status: 300..} + call.errors.add(:metadata_url, :response_is_not_successful, status: response.status) + call.success = false + in {error: error} + call.message = error.message + call.success = false + else + call.message = I18n.t(:notice_internal_server_error) + call.success = false + end + + call + end + + def get_metadata_url(model) + case model.oidc_provider + when "google" + "https://accounts.google.com/.well-known/openid-configuration" + when "microsoft_entra" + "https://login.microsoftonline.com/#{model.tenant || 'common'}/v2.0/.well-known/openid-configuration" + else + model.metadata_url + end + end + end + end +end diff --git a/modules/openid_connect/app/services/openid_connect/sync_service.rb b/modules/openid_connect/app/services/openid_connect/sync_service.rb new file mode 100644 index 000000000000..94dee1aa65c2 --- /dev/null +++ b/modules/openid_connect/app/services/openid_connect/sync_service.rb @@ -0,0 +1,66 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) 2012-2024 the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +module OpenIDConnect + class SyncService + attr_reader :name, :configuration + + def initialize(name, configuration) + @name = name + configuration[:name] = name + @configuration = configuration + end + + def call + mapped_configuration = ::OpenIDConnect::ConfigurationMapper.new(@configuration).call! + provider = ::OpenIDConnect::Provider.find_by(slug: name) + + service_call(provider, mapped_configuration) + rescue StandardError => e + ServiceResult.failure(message: e.message) + end + + private + + def service_call(provider, configuration) # rubocop:disable Metrics/AbcSize + if provider + ::OpenIDConnect::Providers::UpdateService + .new(model: provider, user: User.system) + .call(configuration) + .on_success { |call| call.message = "Successfully updated OpenID provider #{name}." } + .on_failure { |call| call.message = "Failed to update OpenID provider: #{call.message}" } + else + ::OpenIDConnect::Providers::CreateService + .new(user: User.system) + .call(configuration) + .on_success { |call| call.message = "Successfully created OpenID provider #{name}." } + .on_failure { |call| call.message = "Failed to create OpenID provider: #{call.message}" } + end + end + end +end diff --git a/modules/openid_connect/app/views/openid_connect/providers/_azure_form.html.erb b/modules/openid_connect/app/views/openid_connect/providers/_azure_form.html.erb deleted file mode 100644 index 1c948da0dd0f..000000000000 --- a/modules/openid_connect/app/views/openid_connect/providers/_azure_form.html.erb +++ /dev/null @@ -1,21 +0,0 @@ -<% if (@provider.new_record? && !providers.map(&:name).include?('azure')) || @provider.name == 'azure' %> - <%= content_tag :fieldset, - class: 'form--fieldset', - data: { - 'admin--openid-connect-providers-target': 'azureForm', - }, - hidden: @provider.name.present? && @provider.name != 'azure' do %> -
- <%= f.text_field :tenant, required: true, placeholder: 'common', container_class: '-middle' %> -
- <%= t('openid_connect.setting_instructions.azure_tenant_html') %> -
-
-
- <%= f.check_box :use_graph_api, container_class: '-middle' %> -
- <%= t('openid_connect.setting_instructions.azure_graph_api') %> -
-
- <% end %> -<% end %> diff --git a/modules/openid_connect/app/views/openid_connect/providers/_form.html.erb b/modules/openid_connect/app/views/openid_connect/providers/_form.html.erb deleted file mode 100644 index 046a0bbfefa2..000000000000 --- a/modules/openid_connect/app/views/openid_connect/providers/_form.html.erb +++ /dev/null @@ -1,43 +0,0 @@ -<% if @provider.persisted? && @provider.name == 'azure' && @provider.tenant.empty? %> -
-
-

<%= I18n.t('openid_connect.setting_instructions.azure_deprecation_warning') %>

-
-
-<% end %> - -
- <% unless @provider.persisted? -%> -
- <%= f.collection_select :name, - openid_connect_providers_available_for_configure, - :to_s, - :capitalize, - { container_class: '-middle', required: true }, - data: { - 'action': 'admin--openid-connect-providers#updateTypeForm' - } - %> -
- <% end -%> - -
- <%= f.text_field :display_name, required: false, container_class: '-middle' %> -
- -
- <%= f.text_field :identifier, required: true, container_class: '-middle' %> -
- -
- <%= f.text_field :secret, required: true, container_class: '-middle' %> -
- -
- <%= f.check_box :limit_self_registration, required: false, container_class: '-middle' %> -
- <%= I18n.t('openid_connect.setting_instructions.limit_self_registration') %> -
-
-
-<%= render partial: 'azure_form', locals: { f: } %> diff --git a/modules/openid_connect/app/views/openid_connect/providers/confirm_destroy.html.erb b/modules/openid_connect/app/views/openid_connect/providers/confirm_destroy.html.erb new file mode 100644 index 000000000000..20e95fd78a7f --- /dev/null +++ b/modules/openid_connect/app/views/openid_connect/providers/confirm_destroy.html.erb @@ -0,0 +1,66 @@ +<%#-- copyright +OpenProject is an open source project management software. +Copyright (C) the OpenProject GmbH + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License version 3. + +OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +Copyright (C) 2006-2013 Jean-Philippe Lang +Copyright (C) 2010-2013 the ChiliProject Team + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +See COPYRIGHT and LICENSE files for more details. + +++#%> +<%= styled_form_tag(openid_connect_provider_path(@provider), + class: 'danger-zone', + method: :delete) do %> +
+

+ <%= t('openid_connect.delete_title') %> +

+

+ <%= t('provider.delete_warning.provider', name: content_tag(:strong, @provider.display_name)).html_safe %> +

+
    +
  • <%= t('provider.delete_warning.delete_result_1') %> +
  • <%= t('provider.delete_warning.delete_result_user_count', count: @provider.user_count) %> + <% if Setting.omniauth_direct_login_provider == @provider.slug %> +
  • <%= t('provider.delete_warning.delete_result_direct') %> + <% end %> +
+

+ + <%= t('provider.delete_warning.irreversible_notice') %> +

+

+ <%= t('provider.delete_warning.input_delete_confirmation', name: "#{h(@provider.display_name)}").html_safe %> +

+
+ <%= text_field_tag :delete_confirmation %> + <%= styled_button_tag title: t(:button_delete), class: '-primary', disabled: true do + concat content_tag :i, '', class: 'button--icon icon-delete' + concat content_tag :span, t(:button_delete), class: 'button--text' + end %> + <%= link_to openid_connect_providers_path, + title: t(:button_cancel), + class: 'button -with-icon icon-cancel' do %> + <%= t(:button_cancel) %> + <% end %> +
+
+<% end %> diff --git a/modules/openid_connect/app/views/openid_connect/providers/edit.html.erb b/modules/openid_connect/app/views/openid_connect/providers/edit.html.erb index fd27b98d44bf..186c079beb80 100644 --- a/modules/openid_connect/app/views/openid_connect/providers/edit.html.erb +++ b/modules/openid_connect/app/views/openid_connect/providers/edit.html.erb @@ -1,25 +1,32 @@ -<% page_title = t('openid_connect.providers.label_edit', name: @provider.name) %> -<% local_assigns[:additional_breadcrumb] = @provider.name %> +<% page_title = t('openid_connect.providers.label_edit', name: @provider.display_name) %> +<% local_assigns[:additional_breadcrumb] = @provider.display_name %> <% html_title(t(:label_administration), page_title) -%> <%= render Primer::OpenProject::PageHeader.new do |header| - header.with_title { @provider.name } + header.with_title { @provider.display_name } header.with_breadcrumbs([{ href: admin_index_path, text: t(:label_administration) }, { href: admin_settings_authentication_path, text: t(:label_authentication) }, { href: openid_connect_providers_path, text: t("openid_connect.providers.plural") }, - @provider.name]) + @provider.display_name]) + header.with_action_button( + tag: :a, + scheme: :danger, + mobile_icon: :trash, + mobile_label: t(:button_delete), + size: :medium, + href: confirm_destroy_openid_connect_provider_path(@provider), + aria: { label: I18n.t(:button_delete) }, + title: I18n.t(:button_delete) + ) do |button| + button.with_leading_visual_icon(icon: :trash) + t(:button_delete) + end end %> -<%= error_messages_for @provider %> - -<%= labelled_tabular_form_for @provider, - html: { class: 'form', autocomplete: 'off' } do |f| %> - <%= render partial: "form", locals: { f: f } %> -

- <%= styled_button_tag t(:button_save), class: '-primary -with-icon icon-checkmark' %> - <%= link_to t(:button_cancel), { action: :index }, class: 'button -with-icon icon-cancel' %> -

-<% end %> +<%= render(OpenIDConnect::Providers::ViewComponent.new(@provider, + view_mode: :edit, + edit_mode: @edit_mode, + edit_state: @edit_state)) %> diff --git a/modules/openid_connect/app/views/openid_connect/providers/index.html.erb b/modules/openid_connect/app/views/openid_connect/providers/index.html.erb index 4578dc4a5de1..69ee277667dc 100644 --- a/modules/openid_connect/app/views/openid_connect/providers/index.html.erb +++ b/modules/openid_connect/app/views/openid_connect/providers/index.html.erb @@ -11,15 +11,28 @@ <%= render(Primer::OpenProject::SubHeader.new) do |subheader| - subheader.with_action_button(scheme: :primary, - aria: { label: I18n.t("openid_connect.providers.label_add_new") }, - title: I18n.t("openid_connect.providers.label_add_new"), - tag: :a, - href: new_openid_connect_provider_path) do |button| - button.with_leading_visual_icon(icon: :plus) - t("openid_connect.providers.singular") + subheader.with_action_component do + render(Primer::Alpha::ActionMenu.new( + anchor_align: :end) + ) do |menu| + menu.with_show_button( + scheme: :primary, + aria: { label: I18n.t("openid_connect.providers.label_add_new") }, + ) do |button| + button.with_leading_visual_icon(icon: :plus) + button.with_trailing_action_icon(icon: :"triangle-down") + I18n.t("openid_connect.providers.singular") + end + + OpenIDConnect::Provider::OIDC_PROVIDERS.each do |provider_type| + menu.with_item( + label: I18n.t("openid_connect.providers.#{provider_type}.name"), + href: url_helpers.new_openid_connect_provider_path(oidc_provider: provider_type) + ) + end + end end - end if openid_connect_providers_available_for_configure.any? + end %> -<%= render ::OpenIDConnect::Providers::TableComponent.new(rows: providers) %> +<%= render ::OpenIDConnect::Providers::TableComponent.new(rows: @providers) %> diff --git a/modules/openid_connect/app/views/openid_connect/providers/new.html.erb b/modules/openid_connect/app/views/openid_connect/providers/new.html.erb index a82a34b5f4e1..e88aa00be8f3 100644 --- a/modules/openid_connect/app/views/openid_connect/providers/new.html.erb +++ b/modules/openid_connect/app/views/openid_connect/providers/new.html.erb @@ -10,16 +10,4 @@ end %> -<%= error_messages_for @provider %> - -<% content_controller 'admin--openid-connect-providers', - dynamic: true %> - -<%= labelled_tabular_form_for @provider, - html: { class: 'form', autocomplete: 'off' } do |f| %> - <%= render partial: "form", locals: { f: f } %> -

- <%= styled_button_tag t(:button_create), class: '-primary -with-icon icon-checkmark' %> - <%= link_to t(:button_cancel), { action: :index }, class: 'button -with-icon icon-cancel' %> -

-<% end %> +<%= render(OpenIDConnect::Providers::ViewComponent.new(@provider, edit_mode: true, edit_state: :name)) %> diff --git a/modules/openid_connect/config/locales/de.yml b/modules/openid_connect/config/locales/de.yml deleted file mode 100644 index b7a306417071..000000000000 --- a/modules/openid_connect/config/locales/de.yml +++ /dev/null @@ -1,27 +0,0 @@ -de: - logout_warning: > - Sie wurden ausgeloggt. Inhalte von Formularen, die sie abschicken möchten, - können verloren gehen. Bitte [loggen Sie sich wieder ein]. - activemodel: - attributes: - openid_connect/provider: - name: Name - display_name: Angezeigter Name - identifier: Identifier - secret: Secret - scope: Scope - limit_self_registration: Selbstregistrierung einschränken - openid_connect: - menu_title: OpenID-Provider - providers: - label_add_new: Einen neuen OpenID-Provider hinzufügen - label_edit: OpenID-Provider %{name} bearbeiten - no_results_table: Es wurden noch keine OpenID-Provider konfiguriert. - plural: OpenID-Provider - singular: OpenID-Provider - upsale: - description: Use existing OpenID credentials with OpenProject for easier access and interoperability with a range of other providers. - setting_instructions: - limit_self_registration: > - Wenn diese Option aktiv ist, können sich neue Nutzer mit diesem OpenID-Provider nur registrieren, - wenn die Selbstregistrierungs-Einstellung es erlaubt. diff --git a/modules/openid_connect/config/locales/en.yml b/modules/openid_connect/config/locales/en.yml index affacbce8a4f..76689750d8c5 100644 --- a/modules/openid_connect/config/locales/en.yml +++ b/modules/openid_connect/config/locales/en.yml @@ -10,25 +10,114 @@ en: openid_connect/provider: name: Name display_name: Display name - identifier: Identifier + client_id: Client ID + client_secret: Client secret secret: Secret scope: Scope limit_self_registration: Limit self registration + authorization_endpoint: Authorization endpoint + userinfo_endpoint: User information endpoint + token_endpoint: Token endpoint + end_session_endpoint: End session endpoint + post_logout_redirect_uri: Post logout redirect URI + jwks_uri: JWKS URI + issuer: Issuer + tenant: Tenant + metadata_url: Metadata URL + icon: Custom icon + claims: Claims + acr_values: ACR values + activerecord: + errors: + models: + openid_connect/provider: + attributes: + metadata_url: + format: "Discovery endpoint URL %{message}" + response_is_not_successful: " responds with %{status}." + response_is_not_json: " does not return JSON body." + response_misses_required_attributes: " does not return required attributes. Missing attributes are: %{missing_attributes}." + + provider: + delete_warning: + input_delete_confirmation: Enter the provider name %{name} to confirm deletion. + irreversible_notice: Deleting an SSO provider is an irreversible action. + provider: 'Are you sure you want to delete the SSO provider %{name}? To confirm this action please enter the name of the provider in the field below, this will:' + delete_result_1: Remove the provider from the list of available providers. + delete_result_user_count: + zero: No users are currently using this provider. No further action is required. + one: "One user is currently still using this provider. They will need to be re-invited or logging in with another provider." + other: "%{count} users are currently still using this provider. They will need to be re-invited or logging in with another provider." + delete_result_direct: This provider is marked as a direct login provider. The setting will be removed and users will no longer be redirected to the provider for login. + openid_connect: menu_title: OpenID providers + delete_title: "Delete OpenID Connect provider" + + instructions: + endpoint_url: The endpoint URL given to you by the OpenID Connect provider + metadata_none: I don't have this information + metadata_url: I have a discovery endpoint URL + client_id: This is the client ID given to you by your OpenID Connect provider + client_secret: This is the client secret given to you by your OpenID Connect provider + limit_self_registration: If enabled, users can only register using this provider if configuration on the prvoder's end allows it. + display_name: Then name of the provider. This will be displayed as the login button and in the list of providers. + tenant: Please replace the default tenant with your own if applicable. See this. + post_logout_redirect_uri: The URL the OpenID Connect provider should redirect to after a logout request. + claims: > + You can request additional claims for the userinfo and id token endpoints. Please see [our OpenID connect documentation](docs_url) for more information. + acr_values: > + Request non-essential claims in an easier format. See [our documentation on acr_values](docs_url) for more information. + mapping_login: > + Provide a custom mapping in the userinfo response to be used for the login attribute. + mapping_email: > + Provide a custom mapping in the userinfo response to be used for the email attribute. + mapping_first_name: > + Provide a custom mapping in the userinfo response to be used for the first name. + mapping_last_name: > + Provide a custom mapping in the userinfo response to be used for the last name. + mapping_admin: > + Provide a custom mapping in the userinfo response to be used for the admin status. + It expects a boolean attribute to be returned. + settings: + metadata_none: I don't have this information + metadata_url: I have a discovery endpoint URL + endpoint_url: Endpoint URL providers: + seeded_from_env: "This provider was seeded from the environment configuration. It cannot be edited." + google: + name: Google + microsoft_entra: + name: Microsoft Entra + custom: + name: Custom + upsale: + description: Connect OpenProject to an OpenID connect identity provider label_add_new: Add a new OpenID provider label_edit: Edit OpenID provider %{name} + label_empty_title: No OpenID providers configured yet. + label_empty_description: Add a provider to see them here. + label_metadata: OpenID Connect Discovery Endpoint + label_automatic_configuration: Automatic configuration + label_optional_configuration: Optional configuration + label_advanced_configuration: Advanced configuration + label_configuration_details: Metadata + label_client_details: Client details + label_attribute_mapping: Attribute mapping + client_details_description: Configuration details of OpenProject as an OIDC client no_results_table: No providers have been defined yet. plural: OpenID providers singular: OpenID provider + section_texts: + metadata: Pre-fill configuration using an OpenID Connect discovery endpoint URL + metadata_form_banner: Editing the discovery endpoint may override existing pre-filled metadata values. + metadata_form_title: OpenID Connect Discovery endpoint + metadata_form_description: If your identity provider has a discovery endpoint URL. Use it below to pre-fill configuration. + configuration_metadata: The information has been pre-filled using the supplied discovery endpoint. In most cases, they do not require editing. + configuration: Configuration details of the OpenID Connect provider + display_name: The display name visible to users. + attribute_mapping: Configure the mapping of attributes between OpenProject and the OpenID Connect provider. + claims: Request additional claims for the ID token or userinfo response. setting_instructions: - azure_deprecation_warning: > - The configured Azure app points to a deprecated API from Azure. Please create a new Azure app to ensure the functionality in future. - azure_graph_api: > - Use the graph.microsoft.com userinfo endpoint to request userdata. This should be the default unless you have an older azure application. - azure_tenant_html: > - Set the tenant of your Azure endpoint. This will control who gets access to the OpenProject instance. - For more information, please see our user guide on Azure OpenID connect. limit_self_registration: > If enabled users can only register using this provider if the self registration setting allows for it. diff --git a/modules/openid_connect/config/routes.rb b/modules/openid_connect/config/routes.rb index d10644fbc8fe..aa31fbcf26f3 100644 --- a/modules/openid_connect/config/routes.rb +++ b/modules/openid_connect/config/routes.rb @@ -3,7 +3,9 @@ scope :admin do namespace :openid_connect do - resources :providers, only: %i[index new create edit update destroy] + resources :providers, except: %i[show] do + get :confirm_destroy, on: :member + end end end end diff --git a/modules/openid_connect/db/migrate/20240829140616_migrate_oidc_settings_to_providers.rb b/modules/openid_connect/db/migrate/20240829140616_migrate_oidc_settings_to_providers.rb new file mode 100644 index 000000000000..46ea3ba0545e --- /dev/null +++ b/modules/openid_connect/db/migrate/20240829140616_migrate_oidc_settings_to_providers.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +class MigrateOidcSettingsToProviders < ActiveRecord::Migration[7.1] + def up + providers = Hash(Setting.plugin_openproject_openid_connect).with_indifferent_access[:providers] + return if providers.blank? + + providers.each do |name, configuration| + migrate_provider!(name, configuration) + end + end + + def down + # This migration does not yet remove Setting.plugin_openproject_openid_connect + # so it can be retried. + end + + private + + def migrate_provider!(name, configuration) + Rails.logger.debug { "Trying to migrate OpenID provider #{name} from previous settings format..." } + call = ::OpenIDConnect::SyncService.new(name, configuration).call + + if call.success + Rails.logger.debug { <<~SUCCESS } + Successfully migrated OpenID provider #{name} from previous settings format. + You can now manage this provider in the new administrative UI within OpenProject under + the "Administration -> Authentication -> OpenID providers" section. + SUCCESS + else + raise <<~ERROR + Failed to create or update OpenID provider #{name} from previous settings format. + The error message was: #{call.message} + + Please check the logs for more information and open a bug report in our community: + https://www.openproject.org/docs/development/report-a-bug/ + + If you would like to skip migrating the OpenID provider setting and discard them instead, you can use our documentation + to unset any previous OpenID provider settings: + + https://www.openproject.org/docs/system-admin-guide/authentication/openid-providers/ + ERROR + end + end +end diff --git a/modules/openid_connect/lib/open_project/openid_connect.rb b/modules/openid_connect/lib/open_project/openid_connect.rb index c9331a39ee5d..2c8df881e6c4 100644 --- a/modules/openid_connect/lib/open_project/openid_connect.rb +++ b/modules/openid_connect/lib/open_project/openid_connect.rb @@ -4,28 +4,36 @@ module OpenProject module OpenIDConnect - CONFIG_KEY = "openid_connect".freeze + def self.configuration + providers = ::OpenIDConnect::Provider.where(available: true) - def providers + OpenProject::Cache.fetch(providers.cache_key) do + providers.each_with_object({}) do |provider, hash| + hash[provider.slug.to_sym] = provider.to_h + end + end + end + + def self.providers # update base redirect URI in case settings changed ::OmniAuth::OpenIDConnect::Providers.configure( base_redirect_uri: "#{Setting.protocol}://#{Setting.host_name}#{OpenProject::Configuration['rails_relative_url_root']}" ) - ::OmniAuth::OpenIDConnect::Providers.load(configuration).map do |omniauth_provider| - ::OpenIDConnect::Provider.new(omniauth_provider) - end - end - module_function :providers - def configuration - from_settings = if Setting.plugin_openproject_openid_connect.is_a? Hash - Hash(Setting.plugin_openproject_openid_connect["providers"]) - else - {} - end - # Settings override configuration.yml - Hash(OpenProject::Configuration[CONFIG_KEY]).deep_merge(from_settings) + configuration.map do |slug, configuration| + provider = configuration.delete(:oidc_provider) + clazz = + case provider + when "google" + ::OmniAuth::OpenIDConnect::Google + when "microsoft_entra" + ::OmniAuth::OpenIDConnect::Azure + else + ::OmniAuth::OpenIDConnect::Provider + end + + clazz.new(slug, configuration) + end end - module_function :configuration end end diff --git a/modules/openid_connect/lib/open_project/openid_connect/engine.rb b/modules/openid_connect/lib/open_project/openid_connect/engine.rb index 345651d2967e..bde77b42ab7f 100644 --- a/modules/openid_connect/lib/open_project/openid_connect/engine.rb +++ b/modules/openid_connect/lib/open_project/openid_connect/engine.rb @@ -22,7 +22,7 @@ class Engine < ::Rails::Engine assets %w( openid_connect/auth_provider-azure.png openid_connect/auth_provider-google.png - openid_connect/auth_provider-heroku.png + openid_connect/auth_provider-custom.png ) class_inflection_override("openid_connect" => "OpenIDConnect") @@ -60,22 +60,13 @@ class Engine < ::Rails::Engine end end - initializer "openid_connect.configure" do - ::Settings::Definition.add( - OpenProject::OpenIDConnect::CONFIG_KEY, default: {}, writable: false - ) - end - - initializer "openid_connect.form_post_method" do - # If response_mode 'form_post' is chosen, - # the IP sends a POST to the callback. Only if - # the sameSite flag is not set on the session cookie, is the cookie send along with the request. - if OpenProject::Configuration["openid_connect"]&.any? { |_, v| v["response_mode"]&.to_s == "form_post" } - SecureHeaders::Configuration.default.cookies[:samesite][:lax] = false - # Need to reload the secure_headers config to - # avoid having set defaults (e.g. https) when changing the cookie values - load Rails.root.join("config/initializers/secure_headers.rb") - end + initializer "openid_connect.configuration" do + ::Settings::Definition.add :seed_oidc_provider, + description: "Provide a OIDC provider and sync its settings through ENV", + env_alias: "OPENPROJECT_OPENID__CONNECT", + writable: false, + default: {}, + format: :hash end config.to_prepare do diff --git a/modules/openid_connect/spec/contracts/openid_connect/providers/create_contract_spec.rb b/modules/openid_connect/spec/contracts/openid_connect/providers/create_contract_spec.rb new file mode 100644 index 000000000000..36dd0cff327c --- /dev/null +++ b/modules/openid_connect/spec/contracts/openid_connect/providers/create_contract_spec.rb @@ -0,0 +1,49 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require "contracts/shared/model_contract_shared_context" + +RSpec.describe OpenIDConnect::Providers::CreateContract do + include_context "ModelContract shared context" + + let(:provider) { build(:oidc_provider) } + let(:contract) { described_class.new provider, current_user } + + context "when admin" do + let(:current_user) { build_stubbed(:admin) } + + it_behaves_like "contract is valid" + end + + context "when non-admin" do + let(:current_user) { build_stubbed(:user) } + + it_behaves_like "contract is invalid", base: :error_unauthorized + end +end diff --git a/modules/openid_connect/spec/contracts/openid_connect/providers/delete_contract_spec.rb b/modules/openid_connect/spec/contracts/openid_connect/providers/delete_contract_spec.rb new file mode 100644 index 000000000000..d8d524f49a83 --- /dev/null +++ b/modules/openid_connect/spec/contracts/openid_connect/providers/delete_contract_spec.rb @@ -0,0 +1,51 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require "contracts/shared/model_contract_shared_context" + +RSpec.describe OpenIDConnect::Providers::DeleteContract do + include_context "ModelContract shared context" + + let(:provider) { build_stubbed(:oidc_provider) } + let(:contract) { described_class.new provider, current_user } + + context "when admin" do + let(:current_user) { build_stubbed(:admin) } + + it_behaves_like "contract is valid" + end + + context "when non-admin" do + let(:current_user) { build_stubbed(:user) } + + it_behaves_like "contract is invalid", base: :error_unauthorized + end +end diff --git a/modules/openid_connect/spec/contracts/openid_connect/providers/update_contract_spec.rb b/modules/openid_connect/spec/contracts/openid_connect/providers/update_contract_spec.rb new file mode 100644 index 000000000000..a4b72c653195 --- /dev/null +++ b/modules/openid_connect/spec/contracts/openid_connect/providers/update_contract_spec.rb @@ -0,0 +1,49 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require "contracts/shared/model_contract_shared_context" + +RSpec.describe OpenIDConnect::Providers::UpdateContract do + let(:provider) { build_stubbed(:oidc_provider) } + let(:contract) { described_class.new provider, current_user } + + include_context "ModelContract shared context" + + context "when admin" do + let(:current_user) { build_stubbed(:admin) } + + it_behaves_like "contract is valid" + end + + context "when non-admin" do + let(:current_user) { build_stubbed(:user) } + + it_behaves_like "contract is invalid", base: :error_unauthorized + end +end diff --git a/modules/openid_connect/spec/controllers/providers_controller_spec.rb b/modules/openid_connect/spec/controllers/providers_controller_spec.rb deleted file mode 100644 index 493b4d50d543..000000000000 --- a/modules/openid_connect/spec/controllers/providers_controller_spec.rb +++ /dev/null @@ -1,270 +0,0 @@ -#-- copyright -# OpenProject is an open source project management software. -# Copyright (C) the OpenProject GmbH -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License version 3. -# -# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: -# Copyright (C) 2006-2013 Jean-Philippe Lang -# Copyright (C) 2010-2013 the ChiliProject Team -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# See COPYRIGHT and LICENSE files for more details. -#++ - -require "spec_helper" - -RSpec.describe OpenIDConnect::ProvidersController do - let(:user) { build_stubbed(:admin) } - - let(:valid_params) do - { - name: "azure", - identifier: "IDENTIFIER", - secret: "SECRET" - } - end - - before do - login_as user - end - - context "without an EE token", with_ee: false do - it "renders upsale" do - get :index - expect(response).to have_http_status(:ok) - expect(response).to render_template "openid_connect/providers/upsale" - end - end - - context "with an EE token", with_ee: %i[sso_auth_providers] do - before do - login_as user - end - - context "when not admin" do - let(:user) { build_stubbed(:user) } - - it "renders 403" do - get :index - expect(response).to have_http_status(:forbidden) - end - end - - context "when not logged in" do - let(:user) { User.anonymous } - - it "renders 403" do - get :index - expect(response.status).to redirect_to(signin_url(back_url: openid_connect_providers_url)) - end - end - - describe "#index" do - it "renders the index page" do - get :index - expect(response).to be_successful - expect(response).to render_template "index" - end - end - - describe "#new" do - it "renders the new page" do - get :new - expect(response).to be_successful - expect(assigns[:provider]).to be_new_record - expect(response).to render_template "new" - end - - it "redirects to the index page if no provider available", with_settings: { - plugin_openproject_openid_connect: { - "providers" => OpenIDConnect::Provider::ALLOWED_TYPES.inject({}) do |accu, name| - accu.merge(name => { "identifier" => "IDENTIFIER", "secret" => "SECRET" }) - end - } - } do - get :new - expect(response).to be_redirect - end - end - - describe "#create" do - context "with valid params" do - let(:params) { { openid_connect_provider: valid_params } } - - before do - post :create, params: - end - - it "is successful" do - expect(flash[:notice]).to eq(I18n.t(:notice_successful_create)) - expect(Setting.plugin_openproject_openid_connect["providers"]).to have_key("azure") - expect(response).to be_redirect - end - - context "with limit_self_registration checked" do - let(:params) do - { openid_connect_provider: valid_params.merge(limit_self_registration: 1) } - end - - it "sets the setting" do - expect(OpenProject::Plugins::AuthPlugin) - .to be_limit_self_registration provider: valid_params[:name] - end - end - - context "with limit_self_registration unchecked" do - let(:params) do - { openid_connect_provider: valid_params.merge(limit_self_registration: 0) } - end - - it "does not set the setting" do - expect(OpenProject::Plugins::AuthPlugin) - .not_to be_limit_self_registration provider: valid_params[:name] - end - end - end - - it "renders an error if invalid params" do - post :create, params: { openid_connect_provider: valid_params.merge(identifier: "") } - expect(response).to render_template "new" - end - end - - describe "#edit" do - context "when found", with_settings: { - plugin_openproject_openid_connect: { - "providers" => { "azure" => { "identifier" => "IDENTIFIER", "secret" => "SECRET" } } - } - } do - it "renders the edit page" do - get :edit, params: { id: "azure" } - expect(response).to be_successful - expect(assigns[:provider]).to be_present - expect(response).to render_template "edit" - end - - context( - "with limit_self_registration set", - with_settings: { - plugin_openproject_openid_connect: { - "providers" => { - "azure" => { - "identifier" => "IDENTIFIER", - "secret" => "SECRET", - "limit_self_registration" => true - } - } - } - } - ) do - before do - get :edit, params: { id: "azure" } - end - - it "shows limit_self_registration as checked" do - expect(assigns[:provider]).to be_limit_self_registration - end - end - - context "with limit_self_registration not set" do - before do - get :edit, params: { id: "azure" } - end - - it "shows limit_self_registration as checked" do - expect(assigns[:provider]).to be_limit_self_registration - end - end - end - - context "when not found" do - it "renders 404" do - get :edit, params: { id: "doesnoexist" } - expect(response).not_to be_successful - expect(response).to have_http_status(:not_found) - end - end - end - - describe "#update" do - context "when found" do - before do - Setting.plugin_openproject_openid_connect = { - "providers" => { "azure" => { "identifier" => "IDENTIFIER", "secret" => "SECRET" } } - } - end - - it "successfully updates the provider configuration" do - put :update, params: { id: "azure", openid_connect_provider: valid_params.merge(secret: "NEWSECRET") } - expect(response).to be_redirect - expect(flash[:notice]).to be_present - provider = OpenProject::OpenIDConnect.providers.find { |item| item.name == "azure" } - expect(provider.secret).to eq("NEWSECRET") - end - - context "with limit_self_registration checked" do - let(:params) do - { id: "azure", openid_connect_provider: valid_params.merge(limit_self_registration: 1) } - end - - it "sets the setting" do - put(:update, params:) - - expect(OpenProject::Plugins::AuthPlugin) - .to be_limit_self_registration provider: :azure - provider = OpenProject::OpenIDConnect.providers.find { |item| item.name == "azure" } - expect(provider.limit_self_registration).to be true - end - end - - context "with limit_self_registration unchecked" do - let(:params) do - { id: :azure, openid_connect_provider: valid_params.merge(limit_self_registration: 0) } - end - - it "does not set the setting" do - put(:update, params:) - - expect(OpenProject::Plugins::AuthPlugin) - .not_to be_limit_self_registration provider: valid_params[:name] - - provider = OpenProject::OpenIDConnect.providers.find { |item| item.name == "azure" } - expect(provider.limit_self_registration).to be false - end - end - end - end - - describe "#destroy" do - context "when found" do - before do - Setting.plugin_openproject_openid_connect = { - "providers" => { "azure" => { "identifier" => "IDENTIFIER", "secret" => "SECRET" } } - } - end - - it "removes the provider" do - delete :destroy, params: { id: "azure" } - expect(response).to be_redirect - expect(flash[:notice]).to be_present - expect(OpenProject::OpenIDConnect.providers).to be_empty - end - end - end - end -end diff --git a/modules/openid_connect/spec/factories/oidc_provider_factory.rb b/modules/openid_connect/spec/factories/oidc_provider_factory.rb new file mode 100644 index 000000000000..069df379891c --- /dev/null +++ b/modules/openid_connect/spec/factories/oidc_provider_factory.rb @@ -0,0 +1,40 @@ +FactoryBot.define do + factory :oidc_provider, class: "OpenIDConnect::Provider" do + display_name { "Foobar" } + slug { "oidc-foobar" } + limit_self_registration { true } + creator factory: :user + + options do + { + "issuer" => "https://keycloak.local/realms/master", + "jwks_uri" => "https://keycloak.local/realms/master/protocol/openid-connect/certs", + "client_id" => "https://openproject.local", + "client_secret" => "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn", + "oidc_provider" => "custom", + "token_endpoint" => "https://keycloak.local/realms/master/protocol/openid-connect/token", + "userinfo_endpoint" => "https://keycloak.local/realms/master/protocol/openid-connect/userinfo", + "end_session_endpoint" => "https://keycloak.local/realms/master/protocol/openid-connect/logout", + "authorization_endpoint" => "https://keycloak.local/realms/master/protocol/openid-connect/auth" + } + end + end + + factory :oidc_provider_google, class: "OpenIDConnect::Provider" do + display_name { "Google" } + slug { "oidc-google" } + limit_self_registration { true } + creator factory: :user + + options do + { "issuer" => "https://accounts.google.com", + "jwks_uri" => "https://www.googleapis.com/oauth2/v3/certs", + "client_id" => "identifier", + "client_secret" => "secret", + "oidc_provider" => "google", + "token_endpoint" => "https://oauth2.googleapis.com/token", + "userinfo_endpoint" => "https://openidconnect.googleapis.com/v1/userinfo", + "authorization_endpoint" => "https://accounts.google.com/o/oauth2/v2/auth" } + end + end +end diff --git a/modules/openid_connect/spec/features/administration/oidc_custom_crud_spec.rb b/modules/openid_connect/spec/features/administration/oidc_custom_crud_spec.rb new file mode 100644 index 000000000000..714723041076 --- /dev/null +++ b/modules/openid_connect/spec/features/administration/oidc_custom_crud_spec.rb @@ -0,0 +1,177 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require_module_spec_helper + +RSpec.describe "OIDC administration CRUD", + :js, + :with_cuprite do + shared_let(:user) { create(:admin) } + let(:danger_zone) { DangerZone.new(page) } + + before do + login_as(user) + end + + context "with EE", with_ee: %i[sso_auth_providers] do + it "can manage OIDC providers through the UI" do + visit "/admin/openid_connect/providers" + expect(page).to have_text "No OpenID providers configured yet." + click_link_or_button "OpenID provider" + click_link_or_button "Custom" + + fill_in "Display name", with: "My provider" + click_link_or_button "Continue" + + # Skip metadata + click_link_or_button "Continue" + + # Fill out configuration + fill_in "Authorization endpoint", with: "https://example.com/sso" + fill_in "User information endpoint", with: "https://example.com/sso/userinfo" + fill_in "Token endpoint", with: "https://example.com/sso/token" + fill_in "Issuer", with: "foobar" + + click_link_or_button "Continue" + + # Client credentials + fill_in "Client ID", with: "client_id" + fill_in "Client secret", with: "client secret" + + click_link_or_button "Continue" + + # Mapping form + fill_in "Mapping for: Username", with: "login" + fill_in "Mapping for: Email", with: "mail" + fill_in "Mapping for: First name", with: "myName" + fill_in "Mapping for: Last name", with: "myLastName" + + click_link_or_button "Continue" + + # Claims + fill_in "Claims", with: '{"foo": "bar"}' + fill_in "ACR values", with: "foo bar" + + click_link_or_button "Finish setup" + + # We're now on the show page + within_test_selector("openid_connect_provider_metadata") do + expect(page).to have_text "Not configured" + end + + # Back to index + visit "/admin/openid_connect/providers" + expect(page).to have_text "My provider" + expect(page).to have_css(".users", text: 0) + expect(page).to have_css(".creator", text: user.name) + + click_link_or_button "My provider" + + provider = OpenIDConnect::Provider.find_by!(display_name: "My provider") + expect(provider.slug).to eq "oidc-my-provider" + expect(provider.authorization_endpoint).to eq "https://example.com/sso" + expect(provider.token_endpoint).to eq "https://example.com/sso/token" + expect(provider.userinfo_endpoint).to eq "https://example.com/sso/userinfo" + + expect(provider.issuer).to eq "foobar" + expect(provider.client_id).to eq "client_id" + expect(provider.client_secret).to eq "client secret" + + expect(provider.mapping_login).to eq "login" + expect(provider.mapping_email).to eq "mail" + expect(provider.mapping_first_name).to eq "myName" + expect(provider.mapping_last_name).to eq "myLastName" + + click_link_or_button "Delete" + # Confirm the deletion + # Without confirmation, the button is disabled + expect(danger_zone).to be_disabled + + # With wrong confirmation, the button is disabled + danger_zone.confirm_with("foo") + + expect(danger_zone).to be_disabled + + # With correct confirmation, the button is enabled + # and the project can be deleted + danger_zone.confirm_with(provider.display_name) + expect(danger_zone).not_to be_disabled + danger_zone.danger_button.click + + expect(page).to have_text "No OpenID providers configured yet." + expect { provider.reload }.to raise_error ActiveRecord::RecordNotFound + end + + it "can import metadata from URL", :webmock do + visit "/admin/openid_connect/providers" + + click_link_or_button "OpenID provider" + click_link_or_button "Custom" + + fill_in "Display name", with: "My provider" + click_link_or_button "Continue" + + url = "https://example.com/metadata" + metadata = Rails.root.join("modules/openid_connect/spec/fixtures/keycloak_localhost.json").read + stub_request(:get, url).to_return(status: 200, body: metadata, headers: { "Content-Type" => "application/json" }) + + choose "I have a discovery endpoint URL" + fill_in "openid_connect_provider_metadata_url", with: url + + click_link_or_button "Continue" + expect(page).to have_text "The information has been pre-filled using the supplied discovery endpoint." + expect(page).to have_field "Authorization endpoint", with: "http://localhost:8080/realms/test/protocol/openid-connect/auth" + expect(page).to have_field "Token endpoint", with: "http://localhost:8080/realms/test/protocol/openid-connect/token" + expect(page).to have_field "User information endpoint", with: "http://localhost:8080/realms/test/protocol/openid-connect/userinfo" + expect(page).to have_field "End session endpoint", with: "http://localhost:8080/realms/test/protocol/openid-connect/logout" + expect(page).to have_field "Issuer", with: "http://localhost:8080/realms/test" + + expect(WebMock).to have_requested(:get, url) + end + + context "when provider exists already" do + let!(:provider) { create(:oidc_provider, display_name: "My provider") } + + it "shows an error trying to use the same name" do + visit "/admin/openid_connect/providers/new" + fill_in "Display name", with: "My provider" + click_link_or_button "Continue" + + expect(page).to have_text "Display name has already been taken." + end + end + end + + context "without EE", without_ee: %i[sso_auth_providers] do + it "renders the upsale page" do + visit "/admin/openid_connect/providers" + expect(page).to have_text "OpenID providers is an Enterprise add-on" + end + end +end diff --git a/modules/openid_connect/spec/fixtures/keycloak_localhost.json b/modules/openid_connect/spec/fixtures/keycloak_localhost.json new file mode 100644 index 000000000000..af2646381597 --- /dev/null +++ b/modules/openid_connect/spec/fixtures/keycloak_localhost.json @@ -0,0 +1,290 @@ +{ + "issuer": "http://localhost:8080/realms/test", + "authorization_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/auth", + "token_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token", + "introspection_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token/introspect", + "userinfo_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/userinfo", + "end_session_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/logout", + "frontchannel_logout_session_supported": true, + "frontchannel_logout_supported": true, + "jwks_uri": "http://localhost:8080/realms/test/protocol/openid-connect/certs", + "check_session_iframe": "http://localhost:8080/realms/test/protocol/openid-connect/login-status-iframe.html", + "grant_types_supported": [ + "authorization_code", + "implicit", + "refresh_token", + "password", + "client_credentials", + "urn:ietf:params:oauth:grant-type:device_code", + "urn:openid:params:grant-type:ciba" + ], + "acr_values_supported": [ + "0", + "1" + ], + "response_types_supported": [ + "code", + "none", + "id_token", + "token", + "id_token token", + "code id_token", + "code token", + "code id_token token" + ], + "subject_types_supported": [ + "public", + "pairwise" + ], + "id_token_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "id_token_encryption_alg_values_supported": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "id_token_encryption_enc_values_supported": [ + "A256GCM", + "A192GCM", + "A128GCM", + "A128CBC-HS256", + "A192CBC-HS384", + "A256CBC-HS512" + ], + "userinfo_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512", + "none" + ], + "userinfo_encryption_alg_values_supported": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "userinfo_encryption_enc_values_supported": [ + "A256GCM", + "A192GCM", + "A128GCM", + "A128CBC-HS256", + "A192CBC-HS384", + "A256CBC-HS512" + ], + "request_object_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512", + "none" + ], + "request_object_encryption_alg_values_supported": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "request_object_encryption_enc_values_supported": [ + "A256GCM", + "A192GCM", + "A128GCM", + "A128CBC-HS256", + "A192CBC-HS384", + "A256CBC-HS512" + ], + "response_modes_supported": [ + "query", + "fragment", + "form_post", + "query.jwt", + "fragment.jwt", + "form_post.jwt", + "jwt" + ], + "registration_endpoint": "http://localhost:8080/realms/test/clients-registrations/openid-connect", + "token_endpoint_auth_methods_supported": [ + "private_key_jwt", + "client_secret_basic", + "client_secret_post", + "tls_client_auth", + "client_secret_jwt" + ], + "token_endpoint_auth_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "introspection_endpoint_auth_methods_supported": [ + "private_key_jwt", + "client_secret_basic", + "client_secret_post", + "tls_client_auth", + "client_secret_jwt" + ], + "introspection_endpoint_auth_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "authorization_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "authorization_encryption_alg_values_supported": [ + "RSA-OAEP", + "RSA-OAEP-256", + "RSA1_5" + ], + "authorization_encryption_enc_values_supported": [ + "A256GCM", + "A192GCM", + "A128GCM", + "A128CBC-HS256", + "A192CBC-HS384", + "A256CBC-HS512" + ], + "claims_supported": [ + "aud", + "sub", + "iss", + "auth_time", + "name", + "given_name", + "family_name", + "preferred_username", + "email", + "acr" + ], + "claim_types_supported": [ + "normal" + ], + "claims_parameter_supported": true, + "scopes_supported": [ + "openid", + "email", + "roles", + "microprofile-jwt", + "web-origins", + "profile", + "offline_access", + "phone", + "address", + "acr" + ], + "request_parameter_supported": true, + "request_uri_parameter_supported": true, + "require_request_uri_registration": true, + "code_challenge_methods_supported": [ + "plain", + "S256" + ], + "tls_client_certificate_bound_access_tokens": true, + "revocation_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/revoke", + "revocation_endpoint_auth_methods_supported": [ + "private_key_jwt", + "client_secret_basic", + "client_secret_post", + "tls_client_auth", + "client_secret_jwt" + ], + "revocation_endpoint_auth_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "HS256", + "HS512", + "ES256", + "RS256", + "HS384", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "backchannel_logout_supported": true, + "backchannel_logout_session_supported": true, + "device_authorization_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/auth/device", + "backchannel_token_delivery_modes_supported": [ + "poll", + "ping" + ], + "backchannel_authentication_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/ext/ciba/auth", + "backchannel_authentication_request_signing_alg_values_supported": [ + "PS384", + "ES384", + "RS384", + "ES256", + "RS256", + "ES512", + "PS256", + "PS512", + "RS512" + ], + "require_pushed_authorization_requests": false, + "pushed_authorization_request_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/ext/par/request", + "mtls_endpoint_aliases": { + "token_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token", + "revocation_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/revoke", + "introspection_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token/introspect", + "device_authorization_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/auth/device", + "registration_endpoint": "http://localhost:8080/realms/test/clients-registrations/openid-connect", + "userinfo_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/userinfo", + "pushed_authorization_request_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/ext/par/request", + "backchannel_authentication_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/ext/ciba/auth" + } +} diff --git a/modules/openid_connect/spec/migration/migrate_oidc_settings_to_providers_spec.rb b/modules/openid_connect/spec/migration/migrate_oidc_settings_to_providers_spec.rb new file mode 100644 index 000000000000..045779278060 --- /dev/null +++ b/modules/openid_connect/spec/migration/migrate_oidc_settings_to_providers_spec.rb @@ -0,0 +1,146 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" + +require Rails.root.join("modules/openid_connect/db/migrate/20240829140616_migrate_oidc_settings_to_providers.rb") +RSpec.describe MigrateOidcSettingsToProviders, type: :model do + # Define a custom class, + # Class.new doesn't work here as STI uses .constantize + # rubocop:disable Lint/ConstantDefinitionInBlock,RSpec/LeakyConstantDeclaration + class TestOpenIDConnectProvider < OpenIDConnect::Provider + self.table_name = "test_openid_connect_provider" + end + # rubocop:enable Lint/ConstantDefinitionInBlock,RSpec/LeakyConstantDeclaration + + subject { described_class.new.up } + + let(:test_provider_table_name) { "test_openid_connect_provider" } + + # Mock the create service so we can test with the test provider + before do + allow_any_instance_of(OpenIDConnect::Providers::CreateService) # rubocop:disable RSpec/AnyInstance + .to receive(:instance_class).and_return(TestOpenIDConnectProvider) + end + + around do |example| + ActiveRecord::Migration.suppress_messages do + ActiveRecord::Migration.create_table(test_provider_table_name) do |t| + t.string :type, null: false + t.string :display_name, null: false, index: { unique: true } + t.string :slug, null: false, index: { unique: true } + t.boolean :available, null: false, default: true + t.boolean :limit_self_registration, null: false, default: false + t.jsonb :options, default: {}, null: false + t.references :creator, null: false, index: true, foreign_key: { to_table: :users } + + t.timestamps + end + + example.run + ensure + ActiveRecord::Migration.drop_table(test_provider_table_name) + end + end + + context "when no provider present", + with_settings: { plugin_openproject_openid_connect: nil } do + it "does nothing" do + allow(OpenIDConnect::SyncService).to receive(:new) + + subject + + expect(OpenIDConnect::SyncService).not_to have_received(:new) + end + end + + context "when a provider present, but invalid", + with_settings: { + plugin_openproject_openid_connect: { + providers: { + keycloak: { + display_name: "Keycloak", + token_endpoint: "wat?" + } + } + } + } do + it "raises an error" do + expect { subject }.to raise_error do |error| + expect(error.message).to include "Failed to create or update OpenID provider keycloak from previous settings format" + expect(error.message).to include "Provided token_endpoint 'wat?' needs to be http(s) URL or path starting with a slash." + end + end + end + + context "when a provider correctly provided", + with_settings: { + plugin_openproject_openid_connect: { + providers: { + keycloak: { + display_name: "Keycloak", + host: "localhost", + port: "8080", + scheme: "http", + identifier: "http://localhost:3000", + secret: "IVl6GxxujAQ3mt6thAXKxyYYvmyRr8jw", + issuer: "http://localhost:8080/realms/test", + authorization_endpoint: "/realms/test/protocol/openid-connect/auth", + token_endpoint: "/realms/test/protocol/openid-connect/token", + userinfo_endpoint: "/realms/test/protocol/openid-connect/userinfo", + end_session_endpoint: "http://localhost:8080/realms/test/protocol/openid-connect/logout", + post_logout_redirect_uri: "http://localhost:3000", + limit_self_registration: true, + attribute_map: { login: "foo", admin: "isAdmin" } + } + } + } + } do + it "migrates correctly" do # rubocop:disable RSpec/MultipleExpectations + expect { subject }.to change(TestOpenIDConnectProvider, :count).by(1) + + provider = TestOpenIDConnectProvider.last + expect(provider.display_name).to eq "Keycloak" + expect(provider.host).to eq "localhost" + expect(provider.port).to eq "8080" + expect(provider.scheme).to eq "http" + expect(provider.client_id).to eq "http://localhost:3000" + expect(provider.client_secret).to eq "IVl6GxxujAQ3mt6thAXKxyYYvmyRr8jw" + expect(provider.issuer).to eq "http://localhost:8080/realms/test" + expect(provider.authorization_endpoint).to eq "http://localhost:8080/realms/test/protocol/openid-connect/auth" + expect(provider.token_endpoint).to eq "http://localhost:8080/realms/test/protocol/openid-connect/token" + expect(provider.userinfo_endpoint).to eq "http://localhost:8080/realms/test/protocol/openid-connect/userinfo" + expect(provider.end_session_endpoint).to eq "http://localhost:8080/realms/test/protocol/openid-connect/logout" + expect(provider.post_logout_redirect_uri).to eq "http://localhost:3000" + expect(provider.limit_self_registration).to be true + expect(provider.mapping_login).to eq "foo" + expect(provider.mapping_admin).to eq "isAdmin" + expect(provider.mapping_email).to be_blank + end + end +end diff --git a/modules/openid_connect/spec/models/openid_connect/provider_spec.rb b/modules/openid_connect/spec/models/openid_connect/provider_spec.rb deleted file mode 100644 index f58d071c0fdf..000000000000 --- a/modules/openid_connect/spec/models/openid_connect/provider_spec.rb +++ /dev/null @@ -1,100 +0,0 @@ -#-- copyright -# OpenProject is an open source project management software. -# Copyright (C) the OpenProject GmbH -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License version 3. -# -# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: -# Copyright (C) 2006-2013 Jean-Philippe Lang -# Copyright (C) 2010-2013 the ChiliProject Team -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# See COPYRIGHT and LICENSE files for more details. -#++ - -require "spec_helper" - -RSpec.describe OpenIDConnect::Provider do - let(:params) do - {} - end - let(:provider) do - described_class.initialize_with({ name: "azure", identifier: "id", secret: "secret" }.merge(params)) - end - - def auth_plugin - OpenProject::Plugins::AuthPlugin - end - - describe "limit_self_registration" do - before do - # required so that the auth plugin sees any providers (ee feature) - allow(EnterpriseToken).to receive(:show_banners?).and_return false - end - - context "with no limited providers" do - it "shows the provider as limited" do - provider.save - expect(auth_plugin).to be_limit_self_registration provider: provider.name - end - - context "when set to true" do - let(:params) do - { limit_self_registration: true } - end - - it "saving the provider makes it limited" do - provider.save - - expect(auth_plugin).to be_limit_self_registration provider: provider.name - end - end - - context "when set to false" do - let(:params) do - { limit_self_registration: false } - end - - it "saving the provider does nothing" do - provider.save - - expect(auth_plugin).not_to be_limit_self_registration provider: provider.name - end - end - end - - context( - "with a limited provider", - with_settings: { - plugin_openproject_openid_connect: { - "providers" => { - "azure" => { - "name" => "azure", - "identifier" => "id", - "secret" => "secret", - "limit_self_registration" => true - } - } - } - } - ) do - it "shows the provider as limited" do - expect(auth_plugin).to be_limit_self_registration provider: provider.name - end - end - end -end diff --git a/modules/openid_connect/spec/requests/openid_connect_spec.rb b/modules/openid_connect/spec/requests/openid_connect_spec.rb index 808902e6aad0..88a9fc4bdd00 100644 --- a/modules/openid_connect/spec/requests/openid_connect_spec.rb +++ b/modules/openid_connect/spec/requests/openid_connect_spec.rb @@ -36,7 +36,7 @@ RSpec.describe "OpenID Connect", :skip_2fa_stage, # Prevent redirects to 2FA stage type: :rails_request, with_ee: %i[sso_auth_providers] do - let(:host) { OmniAuth::OpenIDConnect::Heroku.new("foo", {}).host } + let(:host) { "keycloak.local" } let(:user_info) do { sub: "87117114115116", @@ -66,21 +66,13 @@ end describe "sign-up and login" do - before do - allow(Setting).to receive(:plugin_openproject_openid_connect).and_return( - "providers" => { - "heroku" => { - "identifier" => "does not", - "secret" => "matter" - } - } - ) - end + let(:limit_self_registration) { false } + let!(:provider) { create(:oidc_provider, slug: "keycloak", limit_self_registration:) } - it "works" do + it "logs in the user" do ## # it should redirect to the provider's openid connect authentication endpoint - click_on_signin + click_on_signin("keycloak") expect(response).to have_http_status :found expect(response.location).to match /https:\/\/#{host}.*$/ @@ -88,12 +80,12 @@ params = Rack::Utils.parse_nested_query(response.location.gsub(/^.*\?/, "")) expect(params).to include "client_id" - expect(params["redirect_uri"]).to match /^.*\/auth\/heroku\/callback$/ + expect(params["redirect_uri"]).to match /^.*\/auth\/keycloak\/callback$/ expect(params["scope"]).to include "openid" ## # it should redirect back from the provider to the login page - redirect_from_provider + redirect_from_provider("keycloak") expect(response).to have_http_status :found expect(response.location).to match /\/\?first_time_user=true$/ @@ -109,20 +101,84 @@ user.activate user.save! - click_on_signin + click_on_signin("keycloak") expect(response).to have_http_status :found expect(response.location).to match /https:\/\/#{host}.*$/ ## # it should then login the user upon the redirect back from the provider - redirect_from_provider + redirect_from_provider("keycloak") expect(response).to have_http_status :found expect(response.location).to match /\/my\/page/ end - context "with a custom claim and mapping" do + context "with self-registration disabled and provider respecting that", + with_settings: { + self_registration: 0 + } do + let(:limit_self_registration) { true } + + it "does not allow registration" do + click_on_signin("keycloak") + redirect_from_provider("keycloak") + + expect(response).to have_http_status :found + expect(response.location).to match /\/login$/ + expect(flash[:error]).to include "User registration is limited for the Single sign-on provider 'keycloak'" + + user = User.find_by(mail: user_info[:email]) + expect(user).to be_nil + end + end + + context "with self-registration manual and provider respecting that", + with_settings: { + self_registration: 2 + } do + let(:limit_self_registration) { true } + + it "does not allow registration" do + click_on_signin("keycloak") + redirect_from_provider("keycloak") + + expect(response).to have_http_status :found + expect(response.location).to match /\/login$/ + expect(flash[:notice]).to eq "Your account was created and is now pending administrator approval." + + user = User.find_by(mail: user_info[:email]) + expect(user).to be_registered + expect(user).not_to be_active + end + end + + context "with self-registration disabled and provider ignoring that", + with_settings: { + self_registration: 0 + } do + let(:limit_self_registration) { false } + + it "does not allow registration" do + click_on_signin("keycloak") + redirect_from_provider("keycloak") + + expect(response).to have_http_status :found + expect(response.location).to match /\/\?first_time_user=true$/ + + user = User.find_by(mail: user_info[:email]) + expect(user).to be_active + end + end + + context "with a custom attribute mapping" do + let!(:provider) do + create(:oidc_provider, + slug: "keycloak", + limit_self_registration:, + mapping_login: :foobar) + end + let(:user_info) do { sub: "87117114115116", @@ -134,57 +190,13 @@ } end - before do - allow(Setting).to receive(:plugin_openproject_openid_connect).and_return( - "providers" => { - "heroku" => { - "attribute_map" => { login: :foobar }, - "identifier" => "does not", - "secret" => "matter" - } - } - ) - end - it "maps to the login" do - click_on_signin - redirect_from_provider + click_on_signin("keycloak") + redirect_from_provider("keycloak") user = User.find_by(login: "a.truly.random.value") expect(user).to be_present end end end - - context "provider configuration through the settings" do - before do - allow(Setting).to receive(:plugin_openproject_openid_connect).and_return( - "providers" => { - "google" => { - "identifier" => "does not", - "secret" => "matter" - }, - "azure" => { - "identifier" => "IDENTIFIER", - "secret" => "SECRET" - } - } - ) - end - - it "shows no option unless EE", with_ee: false do - get "/login" - expect(response.body).not_to match /Google/i - expect(response.body).not_to match /Azure/i - end - - it "makes providers that have been configured through settings available without requiring a restart" do - get "/login" - expect(response.body).to match /Google/i - expect(response.body).to match /Azure/i - - expect { click_on_signin("google") }.not_to raise_error - expect(response).to have_http_status :found - end - end end diff --git a/modules/openid_connect/spec/seeders/env_data/openid_connect/provider_seeder_spec.rb b/modules/openid_connect/spec/seeders/env_data/openid_connect/provider_seeder_spec.rb new file mode 100644 index 000000000000..fb79e6291380 --- /dev/null +++ b/modules/openid_connect/spec/seeders/env_data/openid_connect/provider_seeder_spec.rb @@ -0,0 +1,140 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" + +RSpec.describe EnvData::OpenIDConnect::ProviderSeeder, :settings_reset do + let(:seed_data) { Source::SeedData.new({}) } + + subject(:seeder) { described_class.new(seed_data) } + + before do + reset(:seed_oidc_provider, + description: "Provide a OIDC provider and sync its settings through ENV", + env_alias: "OPENPROJECT_OPENID__CONNECT", + writable: false, + default: {}, + format: :hash) + end + + context "when not provided" do + it "does nothing" do + expect { seeder.seed! }.not_to change(OpenIDConnect::Provider, :count) + end + end + + context "when providing seed variables", + with_env: { + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "keycloak.local", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_IDENTIFIER: "https://openproject.internal", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://keycloak.local/realms/master", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_AUTHORIZATION__ENDPOINT: "/realms/master/protocol/openid-connect/auth", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_TOKEN__ENDPOINT: "/realms/master/protocol/openid-connect/token", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_USERINFO__ENDPOINT: "/realms/master/protocol/openid-connect/userinfo", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://keycloak.local/realms/master/protocol/openid-connect/logout", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_JWKS__URI: "https://keycloak.local/realms/master/protocol/openid-connect/certs" + } do + it "uses those variables" do + expect { seeder.seed! }.to change(OpenIDConnect::Provider, :count).by(1) + + provider = OpenIDConnect::Provider.last + expect(provider.slug).to eq "keycloak" + expect(provider.display_name).to eq "Keycloak" + expect(provider.oidc_provider).to eq "custom" + expect(provider.client_id).to eq "https://openproject.internal" + expect(provider.client_secret).to eq "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn" + expect(provider.issuer).to eq "https://keycloak.local/realms/master" + expect(provider.authorization_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/auth" + expect(provider.token_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/token" + expect(provider.userinfo_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/userinfo" + expect(provider.end_session_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/logout" + expect(provider.jwks_uri).to eq "https://keycloak.local/realms/master/protocol/openid-connect/certs" + expect(provider.seeded_from_env?).to be true + end + + context "when provider already exists with that name" do + it "updates the provider" do + provider = OpenIDConnect::Provider.create!(display_name: "Something", slug: "keycloak", creator: User.system) + expect(provider.seeded_from_env?).to be true + + expect { seeder.seed! }.not_to change(OpenIDConnect::Provider, :count) + + provider.reload + + expect(provider.slug).to eq "keycloak" + expect(provider.display_name).to eq "Keycloak" + expect(provider.oidc_provider).to eq "custom" + expect(provider.client_id).to eq "https://openproject.internal" + expect(provider.client_secret).to eq "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn" + expect(provider.issuer).to eq "https://keycloak.local/realms/master" + expect(provider.authorization_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/auth" + expect(provider.token_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/token" + expect(provider.userinfo_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/userinfo" + expect(provider.end_session_endpoint).to eq "https://keycloak.local/realms/master/protocol/openid-connect/logout" + expect(provider.jwks_uri).to eq "https://keycloak.local/realms/master/protocol/openid-connect/certs" + expect(provider.seeded_from_env?).to be true + end + end + end + + context "when providing multiple variables", + with_env: { + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "keycloak.local", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_IDENTIFIER: "https://openproject.internal", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://keycloak.local/realms/master", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_AUTHORIZATION__ENDPOINT: "/realms/master/protocol/openid-connect/auth", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_TOKEN__ENDPOINT: "/realms/master/protocol/openid-connect/token", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_USERINFO__ENDPOINT: "/realms/master/protocol/openid-connect/userinfo", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://keycloak.local/realms/master/protocol/openid-connect/logout", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK_JWKS__URI: "https://keycloak.local/realms/master/protocol/openid-connect/certs", + + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_DISPLAY__NAME: "Keycloak 123", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_HOST: "keycloak.local", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_IDENTIFIER: "https://openproject.internal", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_SECRET: "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_ISSUER: "https://keycloak.local/realms/master", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_AUTHORIZATION__ENDPOINT: "/realms/master/protocol/openid-connect/auth", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_TOKEN__ENDPOINT: "/realms/master/protocol/openid-connect/token", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_USERINFO__ENDPOINT: "/realms/master/protocol/openid-connect/userinfo", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_END__SESSION__ENDPOINT: "https://keycloak.local/realms/master/protocol/openid-connect/logout", + OPENPROJECT_OPENID__CONNECT_KEYCLOAK123_JWKS__URI: "https://keycloak.local/realms/master/protocol/openid-connect/certs" + } do + it "creates both" do + expect { seeder.seed! }.to change(OpenIDConnect::Provider, :count).by(2) + + providers = OpenIDConnect::Provider.pluck(:slug) + expect(providers).to contain_exactly("keycloak", "keycloak123") + end + end +end diff --git a/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb b/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb new file mode 100644 index 000000000000..e5dd3128f681 --- /dev/null +++ b/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb @@ -0,0 +1,148 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" + +RSpec.describe OpenIDConnect::ConfigurationMapper, type: :model do + let(:instance) { described_class.new(configuration) } + let(:result) { instance.call! } + + describe "display_name" do + subject { result["display_name"] } + + context "when provided" do + let(:configuration) { { display_name: "My OIDC Provider" } } + + it { is_expected.to eq("My OIDC Provider") } + end + + context "when not provided" do + let(:configuration) { {} } + + it { is_expected.to eq("OpenID Connect") } + end + end + + describe "slug" do + subject { result["slug"] } + + context "when provided from name" do + let(:configuration) { { name: "OIDCwat" } } + + it { is_expected.to eq("OIDCwat") } + end + + context "when not provided" do + let(:configuration) { {} } + + it { is_expected.to be_nil } + end + end + + describe "client_id" do + subject { result } + + context "when provided" do + let(:configuration) { { identifier: "foo" } } + + it { is_expected.to include("client_id" => "foo") } + end + + context "when not provided" do + let(:configuration) { { foo: "bar" } } + + it { is_expected.not_to have_key("client_id") } + end + end + + describe "client_secret" do + subject { result } + + context "when provided" do + let(:configuration) { { secret: "foo" } } + + it { is_expected.to include("client_secret" => "foo") } + end + + context "when not provided" do + let(:configuration) { { foo: "bar" } } + + it { is_expected.not_to have_key("client_secret") } + end + end + + describe "issuer" do + subject { result } + + context "when provided" do + let(:configuration) { { issuer: "foo" } } + + it { is_expected.to include("issuer" => "foo") } + end + + context "when not provided" do + let(:configuration) { { foo: "bar" } } + + it { is_expected.not_to have_key("issuer") } + end + end + + %w[authorization_endpoint token_endpoint userinfo_endpoint end_session_endpoint jwks_uri].each do |key| + describe "setting #{key}" do + subject { result } + + context "when provided as url" do + let(:configuration) { { key => "https://foo.example.com/sso" } } + + it { is_expected.to include(key => "https://foo.example.com/sso") } + end + + context "when provided as path without host" do + let(:configuration) { { key => "/foo" } } + + it "raises an error" do + expect { subject }.to raise_error("Missing host in configuration") + end + end + + context "when provided as path with host" do + let(:configuration) { { host: "example.com", scheme: "https", key => "/foo" } } + + it { is_expected.to include(key => "https://example.com/foo") } + end + + context "when not provided" do + let(:configuration) { { foo: "bar" } } + + it { is_expected.not_to have_key(key) } + end + end + end +end diff --git a/modules/openid_connect/spec/services/openid_connect/providers/create_service_spec.rb b/modules/openid_connect/spec/services/openid_connect/providers/create_service_spec.rb new file mode 100644 index 000000000000..79f9518b4bb2 --- /dev/null +++ b/modules/openid_connect/spec/services/openid_connect/providers/create_service_spec.rb @@ -0,0 +1,36 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require "services/base_services/behaves_like_create_service" + +RSpec.describe OpenIDConnect::Providers::CreateService, type: :model do + it_behaves_like "BaseServices create service" do + let(:factory) { :oidc_provider } + end +end diff --git a/modules/openid_connect/spec/services/openid_connect/providers/set_attributes_service_spec.rb b/modules/openid_connect/spec/services/openid_connect/providers/set_attributes_service_spec.rb new file mode 100644 index 000000000000..88975b615814 --- /dev/null +++ b/modules/openid_connect/spec/services/openid_connect/providers/set_attributes_service_spec.rb @@ -0,0 +1,190 @@ +# frozen_string_literal: true + +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require_module_spec_helper + +RSpec.describe OpenIDConnect::Providers::SetAttributesService, type: :model do + let(:current_user) { build_stubbed(:admin) } + + let(:instance) do + described_class.new(user: current_user, + model: model_instance, + contract_class:, + contract_options: {}) + end + + let(:call) { instance.call(params) } + + subject { call.result } + + describe "new instance" do + let(:model_instance) { OpenIDConnect::Provider.new(oidc_provider: "custom", display_name: "foo") } + let(:contract_class) { OpenIDConnect::Providers::CreateContract } + + describe "default attributes" do + let(:params) { {} } + + it "sets all default attributes", :aggregate_failures do + expect(subject.display_name).to eq "foo" + expect(subject.slug).to eq "oidc-foo" + expect(subject.creator).to eq(current_user) + + expect(subject.mapping_email).to be_blank + expect(subject.mapping_first_name).to be_blank + expect(subject.mapping_last_name).to be_blank + expect(subject.mapping_login).to be_blank + end + end + + describe "setting claims" do + let(:params) do + { + claims: value + } + end + + context "when nil" do + let(:value) { nil } + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.claims).to be_nil + end + end + + context "when blank" do + let(:value) { "" } + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.claims).to eq "" + end + end + + context "when invalid JSON" do + let(:value) { "foo" } + + it "is invalid" do + expect(call).not_to be_success + expect(call.errors.details[:claims]) + .to contain_exactly({ error: :not_json }) + end + end + + context "when valid JSON" do + let(:value) do + { + id_token: { + acr: { + essential: true, + values: %w[phr phrh Multi_Factor] + } + } + }.to_json + end + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.claims).to eq value + end + end + end + + %i[token_endpoint metadata_url jwks_uri userinfo_endpoint end_session_endpoint].each do |url_attr| + describe "setting #{url_attr}" do + let(:params) do + { + url_attr => value + } + end + + context "when nil" do + let(:value) { nil } + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.public_send(url_attr)).to be_nil + end + end + + context "when blank" do + let(:value) { "" } + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.public_send(url_attr)).to eq "" + end + end + + context "when not a URL" do + let(:value) { "foo!" } + + it "is valid" do + expect(call).not_to be_success + expect(call.errors.details[url_attr]) + .to contain_exactly({ error: :url, value: }) + end + end + + context "when invalid scheme" do + let(:value) { "urn:some:info" } + + it "is valid" do + expect(call).not_to be_success + expect(call.errors.details[url_attr]) + .to contain_exactly({ error: :url, value: }) + end + end + + context "when valid" do + let(:value) { "https://foobar.example.com/slo" } + + it "is valid" do + expect(call).to be_success + expect(call.errors).to be_empty + + expect(subject.public_send(url_attr)).to eq value + end + end + end + end + end +end diff --git a/modules/openid_connect/spec/services/openid_connect/providers/update_service_spec.rb b/modules/openid_connect/spec/services/openid_connect/providers/update_service_spec.rb new file mode 100644 index 000000000000..7acd051a8991 --- /dev/null +++ b/modules/openid_connect/spec/services/openid_connect/providers/update_service_spec.rb @@ -0,0 +1,36 @@ +#-- copyright +# OpenProject is an open source project management software. +# Copyright (C) the OpenProject GmbH +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3. +# +# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: +# Copyright (C) 2006-2013 Jean-Philippe Lang +# Copyright (C) 2010-2013 the ChiliProject Team +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# See COPYRIGHT and LICENSE files for more details. +#++ + +require "spec_helper" +require "services/base_services/behaves_like_update_service" + +RSpec.describe OpenIDConnect::Providers::UpdateService, type: :model do + it_behaves_like "BaseServices update service" do + let(:factory) { :oidc_provider } + end +end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 66d7db19d217..c0ac9094fbc2 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -370,8 +370,12 @@ user.save! end + it "returns the internal provider slug" do + expect(user.authentication_provider).to eql("test_provider") + end + it "creates a human readable name" do - expect(user.authentication_provider).to eql("Test Provider") + expect(user.human_authentication_provider).to eql("Test Provider") end end diff --git a/spec/requests/api/v3/authentication_spec.rb b/spec/requests/api/v3/authentication_spec.rb index 045177706b6a..30171e45691c 100644 --- a/spec/requests/api/v3/authentication_spec.rb +++ b/spec/requests/api/v3/authentication_spec.rb @@ -366,28 +366,7 @@ def set_basic_auth_header(user, password) end end - describe( - "OIDC", - :webmock, - with_settings: { - plugin_openproject_openid_connect: { - "providers" => { - "keycloak" => { - "display_name" => "Keycloak", - "identifier" => "https://openproject.local", - "secret" => "9AWjVC3A4U1HLrZuSP4xiwHfw6zmgECn", - "host" => "keycloak.local", - "issuer" => "https://keycloak.local/realms/master", - "authorization_endpoint" => "/realms/master/protocol/openid-connect/auth", - "token_endpoint" => "/realms/master/protocol/openid-connect/token", - "userinfo_endpoint" => "/realms/master/protocol/openid-connect/userinfo", - "end_session_endpoint" => "https://keycloak.local/realms/master/protocol/openid-connect/logout", - "jwks_uri" => "https://keycloak.local/realms/master/protocol/openid-connect/certs" - } - } - } - } - ) do + describe("OIDC", :webmock) do let(:rsa_signed_access_token_without_aud) do "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5N0FteXZvUzhCRkZSZm01ODVHUGdBMTZHMUgyVjIyRWR4eHVBWVV1b0trIn0.eyJleHAiOjE3MjEyODM0MzAsImlhdCI6MTcyMTI4MzM3MCwianRpIjoiYzUyNmI0MzUtOTkxZi00NzRhLWFkMWItYzM3MTQ1NmQxZmQwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2NhbC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpbIm1hc3Rlci1yZWFsbSIsImFjY291bnQiXSwic3ViIjoiYjcwZTJmYmYtZWE2OC00MjBjLWE3YTUtMGEyODdjYjY4OWM2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0cHM6Ly9vcGVucHJvamVjdC5sb2NhbCIsInNlc3Npb25fc3RhdGUiOiJlYjIzNTI0MC0wYjQ3LTQ4ZmEtOGIzZS1mM2IzMTBkMzUyZTMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vb3BlbnByb2plY3QubG9jYWwiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiJlYjIzNTI0MC0wYjQ3LTQ4ZmEtOGIzZS1mM2IzMTBkMzUyZTMiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.cLgbN9kygRwthUx0R0FazPfIUeEUVnw4HnDgN-Hsnm9oXVr6MqmfTRKEI-6n62dlnVKsdadF_tWf3jp26d6neLj1zlR-vojwaHm8A08S9m6IeMr9e0CGiYVHjrJtEeTgq6P9cJJfe7uuhSSvlG3ltFPDxaAe14Dz3BjhLO3iaCRkWfAZjKmnW-IMzzzHfGH-7of7qCAlF5ObEax38mf1Q0OmsPA4_5po-FFtw7H7FfDjsr6EXgtdwloDePkk2XIHs2XsIo0YugVHC9GqCWgBA8MBvCirFivqM53paZMnjhpQH-xgTpYGWlw3WNbG2Rny2GoEwIxdYOUO2amDQ_zkrQ" end @@ -400,6 +379,7 @@ def set_basic_auth_header(user, password) let(:keys_request_stub) { nil } before do + create(:oidc_provider, slug: "keycloak") create(:user, identity_url: "keycloak:#{token_sub}") keys_request_stub diff --git a/spec/requests/openid_google_provider_callback_spec.rb b/spec/requests/openid_google_provider_callback_spec.rb index 5f86a8ac23dc..d648991cc819 100644 --- a/spec/requests/openid_google_provider_callback_spec.rb +++ b/spec/requests/openid_google_provider_callback_spec.rb @@ -33,6 +33,7 @@ include Rack::Test::Methods include API::V3::Utilities::PathHelper + let(:provider) { create(:oidc_provider_google, limit_self_registration: false) } let(:auth_hash) do { "state" => "623960f1b4f1020941387659f022497f536ad3c95fa7e53b0f03bdbf36debd59f76320801ea2723df520", "code" => "4/0AVHEtk6HMPLH08Uw8OVoSaAbd2oTi7Z6wOlBsMQ99Yj3qgKhhyKAxUQBvQ2MZuRzvueOgQ", @@ -41,7 +42,7 @@ "prompt" => "none" } end let(:uri) do - uri = URI("/auth/google/callback") + uri = URI("/auth/#{provider.slug}/callback") uri.query = URI.encode_www_form([["code", auth_hash["code"]], ["state", auth_hash["state"]], ["scope", auth_hash["scope"]], @@ -51,14 +52,7 @@ end before do - # enable self registration for Google which is limited by default - expect(OpenProject::Plugins::AuthPlugin) - .to receive(:limit_self_registration?) - .with(provider: "google") - .twice - .and_return false - - stub_request(:post, "https://accounts.google.com/o/oauth2/token").to_return( + stub_request(:post, "https://oauth2.googleapis.com/token").to_return( status: 200, body: { "access_token" => @@ -72,7 +66,7 @@ }.to_json, headers: { "content-type" => "application/json; charset=utf-8" } ) - stub_request(:get, Addressable::Template.new("https://www.googleapis.com/oauth2/v3/userinfo{?alt}")).to_return( + stub_request(:get, "https://openidconnect.googleapis.com/v1/userinfo").to_return( status: 200, body: { "sub" => "107403511037921355307", "name" => "Firstname Lastname", @@ -86,16 +80,14 @@ ) allow_any_instance_of(OmniAuth::Strategies::OpenIDConnect).to receive(:session) { - { "omniauth.state" => auth_hash["state"] } + { + "omniauth.state" => auth_hash["state"] + } } end - it "redirects user without errors", :webmock, with_settings: { - plugin_openproject_openid_connect: { - "providers" => { "google" => { "identifier" => "identifier", "secret" => "secret" } } - } - } do - response = get uri.to_s + it "redirects user without errors", :webmock do + response = get(uri.to_s) expect(response).to have_http_status(:found) expect(response.location).to eq("http://#{Setting.host_name}/two_factor_authentication/request") end diff --git a/spec/services/users/register_user_service_spec.rb b/spec/services/users/register_user_service_spec.rb index 16151dc25534..9a8cfa2f1458 100644 --- a/spec/services/users/register_user_service_spec.rb +++ b/spec/services/users/register_user_service_spec.rb @@ -100,13 +100,9 @@ def with_all_registration_options(except: []) context "with limit_self_registration enabled and self_registration disabled", with_settings: { self_registration: 0, - plugin_openproject_openid_connect: { - providers: { - azure: { identifier: "foo", secret: "bar", limit_self_registration: true } - } - } } do it "fails to activate due to disabled self registration" do + create(:oidc_provider, slug: "azure") call = instance.call expect(call).not_to be_success expect(call.result).to eq user @@ -117,13 +113,9 @@ def with_all_registration_options(except: []) context "with limit_self_registration enabled and self_registration manual", with_settings: { self_registration: 2, - plugin_openproject_openid_connect: { - providers: { - azure: { identifier: "foo", secret: "bar", limit_self_registration: true } - } - } } do it "registers the user, but does not activate it" do + create(:oidc_provider, slug: "azure") call = instance.call expect(call).to be_success expect(call.result).to eq user @@ -136,13 +128,10 @@ def with_all_registration_options(except: []) context "with limit_self_registration enabled and self_registration email", with_settings: { self_registration: 1, - plugin_openproject_openid_connect: { - providers: { - azure: { identifier: "foo", secret: "bar", limit_self_registration: true } - } - } } do it "registers the user, but does not activate it" do + create(:oidc_provider, slug: "azure") + call = instance.call expect(call).to be_success expect(call.result).to eq user @@ -155,13 +144,9 @@ def with_all_registration_options(except: []) context "with limit_self_registration enabled and self_registration automatic", with_settings: { self_registration: 3, - plugin_openproject_openid_connect: { - providers: { - azure: { identifier: "foo", secret: "bar", limit_self_registration: true } - } - } } do it "activates the user" do + create(:oidc_provider, slug: "azure") call = instance.call expect(call).to be_success expect(call.result).to eq user diff --git a/spec/support/shared/with_settings.rb b/spec/support/shared/with_settings.rb index d4286554d096..6ab6307e4e06 100644 --- a/spec/support/shared/with_settings.rb +++ b/spec/support/shared/with_settings.rb @@ -42,8 +42,8 @@ def aggregate_mocked_settings(example, settings) shared_let(:definitions_before) { Settings::Definition.all.dup } def reset(setting, **definitions) + setting = setting.to_sym definitions = Settings::Definition::DEFINITIONS[setting] if definitions.empty? - Settings::Definition.all.delete(setting) Settings::Definition.add(setting, **definitions) end