Add sso integration with keycloak

.env

@@ -0,0 +1,2 @@
+LOCAL=true
+DEVELOPMENT=true

Gemfile

@@ -14,6 +14,7 @@ gem 'config'
 gem 'countries'
 gem 'cssbundling-rails'
 gem 'database_cleaner'
+gem 'devise'
 gem 'faker'
 gem 'haml-rails'
 gem 'i18n_data'
@@ -28,6 +29,8 @@ gem 'net-pop', require: false
 gem 'net-smtp', require: false
 gem 'nokogiri', '~> 1.14'
 gem 'odf-report'
+gem 'omniauth-keycloak'
+gem 'omniauth-rails_csrf_protection'
 gem 'pg'
 gem 'pg_search'
 gem 'psych', '~> 3.3', '>= 3.3.4'
@@ -51,6 +54,7 @@ group :development, :test do
   # Call 'byebug' anywhere in the code
   # to stop execution and get a debugger console
   gem 'byebug', platform: :mri
+  gem 'dotenv'
   gem 'pry'
   gem 'pry-byebug'
   gem 'rspec-rails'

Gemfile.lock

@@ -81,6 +81,7 @@ GEM
       rake (>= 10.4, < 14.0)
     ast (2.4.2)
     base64 (0.2.0)
+    bcrypt (3.1.20)
     bigdecimal (3.1.6)
     bindata (2.5.0)
     bleib (0.0.8)
@@ -130,9 +131,16 @@ GEM
     database_cleaner-core (2.0.1)
     date (3.3.4)
     deep_merge (1.2.2)
+    devise (4.9.3)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
     diff-lcs (1.5.1)
     docile (1.4.0)
     domain_name (0.6.20240107)
+    dotenv (3.1.0)
     dry-configurable (1.1.0)
       dry-core (~> 1.0, < 2)
       zeitwerk (~> 2.6)
@@ -187,6 +195,7 @@ GEM
       activesupport (>= 5.1)
       haml (>= 4.0.6)
       railties (>= 5.1)
+    hashie (5.0.0)
     http-accept (1.7.0)
     http-cookie (1.0.5)
       domain_name (~> 0.5)
@@ -208,6 +217,8 @@ GEM
       faraday (~> 2.0)
       faraday-follow_redirects
     jsonapi-renderer (0.2.2)
+    jwt (2.8.0)
+      base64
     keycloak-api-rails (0.12.2)
       json-jwt (>= 1.11.0)
       rails (>= 4.2)
@@ -237,6 +248,7 @@ GEM
     mini_mime (1.1.5)
     minitest (5.22.2)
     msgpack (1.7.2)
+    multi_xml (0.6.0)
     net-http (0.4.1)
       uri
     net-imap (0.4.10)
@@ -253,10 +265,33 @@ GEM
     nio4r (2.7.0)
     nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     odf-report (0.7.3)
       mime-types
       nokogiri (>= 1.10.0)
       rubyzip (>= 1.3.0)
+    omniauth (2.1.2)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-keycloak (1.5.2)
+      faraday
+      json-jwt (> 1.13.0)
+      omniauth (>= 2.0)
+      omniauth-oauth2 (>= 1.7, < 1.9)
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
+    omniauth-rails_csrf_protection (1.0.1)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    orm_adapter (0.5.0)
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)
@@ -277,6 +312,9 @@ GEM
       nio4r (~> 2.0)
     racc (1.7.3)
     rack (2.2.8.1)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rack-test (2.1.0)
       rack (>= 1.3)
     rails (7.0.4.2)
@@ -322,6 +360,9 @@ GEM
       ffi (~> 1.0)
     rb-readline (0.5.5)
     regexp_parser (2.9.0)
+    responders (3.1.1)
+      actionpack (>= 5.2)
+      railties (>= 5.2)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)
       http-cookie (>= 1.0.2, < 2.0)
@@ -344,7 +385,7 @@ GEM
       rspec-expectations (~> 3.12)
       rspec-mocks (~> 3.12)
       rspec-support (~> 3.12)
-    rspec-support (3.13.0)
+    rspec-support (3.13.1)
     rubocop (1.60.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -385,6 +426,9 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
     spring (2.1.1)
     spring-watcher-listen (2.0.1)
       listen (>= 2.7, < 4.0)
@@ -413,6 +457,9 @@ GEM
     unicode-display_width (2.5.0)
     uniform_notifier (1.16.0)
     uri (0.13.0)
+    version_gem (1.1.3)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     webdrivers (5.3.1)
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
@@ -443,6 +490,8 @@ DEPENDENCIES
   countries
   cssbundling-rails
   database_cleaner
+  devise
+  dotenv
   faker
   haml-rails
   i18n_data
@@ -458,6 +507,8 @@ DEPENDENCIES
   net-smtp
   nokogiri (~> 1.14)
   odf-report
+  omniauth-keycloak
+  omniauth-rails_csrf_protection
   pg
   pg_search
   pry

README.md

@@ -40,6 +40,16 @@ You will need the following things properly installed on your computer:
 ## Setup dockerized Application👩🏽‍💻
 We're glad you want to setup your machine for PuzzleSkills development 💃
 
+## Openshift deployment
+To deploy the project to openshift make sure you set the following environment variables:
+- LOCAL=false
+- client_id: 
+- secret: 
+- host_url: 
+- realm: 
+- admin_role: (Not required)
+
+
 ### Windows users
 If you're on Windows you should be able to Download Ubuntu from Microsoft Store. Note that you need to enable Subsystem for Linux and virtual machine platform in your Windows features.  
 Then you can open Ubuntu and follow the manual using the Ubuntu console.  
@@ -91,6 +101,7 @@ Access the web application by browser: http://localhost:4200 and enjoy the ride!
 -   Frontend tests with livereload `rake spec:frontend:serve`
 -   To run a single test run the following command in the frontend folder `npm test --filter "some filter words"`
 -   There is also `rake ci` and `rake ci:nightly` which should be periodically exectued by a build job (e.g. on jenkins)
+-   To use a user without admin privileges change email in `app/controllers/application_controller.rb#authenticate_auth_user"` to "[email protected]"
 
 
 ## Documentation

app/controllers/application_controller.rb

@@ -1,4 +1,25 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::Base
+  before_action :authenticate_auth_user!
+
+  def authenticate_auth_user!
+    return super unless helpers.development?
+
+    admin = AuthUser.find_by(email: '[email protected]')
+    request.env['warden'].set_user(admin, :scope => :auth_user)
+  end
+
+  def render_unauthorized
+    return false if helpers.admin?
+
+    render_error('unauthorized', 'unauthorized', :unauthorized)
+  end
+
+  def render_error(title_key, body_key, status = :bad_request)
+    render partial: 'error_modal',
+           locals: { title: translate("devise.failure.titles.#{title_key}"),
+                     body: translate("devise.failure.#{body_key}") },
+           :status => status
+  end
 end

app/controllers/omniauth_callbacks_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  skip_before_action :verify_authenticity_token, only: :keycloak_openid
+
+  def keycloak_openid
+    omniauth_auth = request.env['omniauth.auth']
+    @user = AuthUser.from_omniauth(omniauth_auth)
+    if @user.persisted?
+      sign_in_and_redirect @user, event: :authentication
+      set_flash_message(:notice, :success, kind: 'Keycloak') if is_navigational_format?
+    else
+      failure
+    end
+  end
+
+  def failure
+    redirect_to root_path
+  end
+end

app/controllers/skills_controller.rb

@@ -1,12 +1,9 @@
 # frozen_string_literal: true
 
-require 'keycloak_tools'
-
 class SkillsController < CrudController
   include ExportController
-  include KeycloakTools
 
-  before_action :authorize_admin, except: %i[index show create unrated_by_person]
+  before_action :render_unauthorized, except: %i[index show unrated_by_person]
 
   self.permitted_attrs = %i[title radar portfolio default_set category_id]
 

app/helpers/auth_helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module AuthHelper
+  def session_path(_scope)
+    new_auth_user_session_path
+  end
+
+  def admin?
+    current_auth_user&.is_admin
+  end
+
+  def generate_select_options_with_default(person)
+    selected = person ? person.id : ''
+    prompt = person ? false : true
+    { :selected => selected, :prompt => prompt, :disabled => '' }
+  end
+
+  def development?
+    ENV['DEVELOPMENT'] == 'true' && ENV['RAILS_ENV'] == 'development'
+  end
+end

app/models/auth_user.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class AuthUser < ApplicationRecord
+
+  devise :omniauthable, omniauth_providers: [:keycloak_openid]
+
+  class << self
+    def from_omniauth(auth)
+      person = where(uid: auth.uid).first_or_create do |user|
+        user.name = auth.info.name
+        user.email = auth.info.email
+      end
+      person.last_login = Time.zone.now
+      set_admin(person, auth)
+    end
+
+    private
+
+    def set_admin(person, auth)
+      person.is_admin = admin?(auth)
+      person.save
+      person
+    end
+
+    def admin?(auth)
+      resources = auth.extra.raw_info.resource_access[AuthConfig.client_id]
+      resources.roles.include? AuthConfig.admin_role
+    end
+  end
+end

app/views/application/_error_modal.html.haml

@@ -0,0 +1,2 @@
+= render "remote_modal", title: title do
+  = body

app/views/devise/sessions/new.html.haml

@@ -0,0 +1,6 @@
+%h2 Log in
+- if devise_mapping.omniauthable?
+  - resource_class.omniauth_providers.each do |provider|
+    = button_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider), {data: { turbo: false }, class: "btn btn-primary"}
+- else
+  An error %occured, no Omniauth providers are available, please contact the administrator.

app/views/layouts/application.html.haml

@@ -20,12 +20,19 @@
           %ul.navbar.text-gray
             %li.d-flex.align-items-center.cursor-pointer.ps-2.pe-2.border-start.border-end.h-100
               %pzsh-icon.scale-icon-06(name="user")
-              %text= "Curtis Jackson"
+              %span#username
+                =current_auth_user&.name 
+                - if admin?  
+                  (Admin)
             %li.d-flex.align-items-center.cursor-pointer.ps-2.pe-2
               %a.d-flex.align-items-center{:href => "https://github.com/puzzle/skills/issues"}
                 %pzsh-icon.scale-icon-08.text-gray(name="question-circle")
             %li.d-flex.align-items-center.cursor-pointer.border-start.border-end.h-100.ps-2.pe-2
-              %a= "Logout"
+              - if !development?
+                - if auth_user_signed_in?
+                  =link_to "Logout", destroy_auth_user_session_path, data: { "turbo-method": :delete}
+                - elsif devise_mapping.omniauthable?
+                  =button_to "Login", omniauth_authorize_path(resource_name, resource_class.omniauth_providers.first), {data: { "turbo": false}, class: "btn btn-link"}
         %div
           %pzsh-topbar.p-0
             %div.d-flex.justify-content-center

app/views/people/_search.html.haml

@@ -1,3 +1,3 @@
 = form_with do |f|
   %section{"data-controller"=>"dropdown"}
-    = f.collection_select :person_id, Person.all.sort_by(&:name), :id, :name, {:selected => person&.id} , {class: "form-select w-100", "data-action": "change->dropdown#handleChange", "data-value": "/people/"}
+    = f.collection_select :person_id, Person.all.sort_by(&:name), :id, :name,  generate_select_options_with_default(person) , {class: "form-select w-100", "data-action": "change->dropdown#handleChange", "data-value": "/people/"}

app/views/people/index.html.haml

@@ -1 +1 @@
-= render partial: "people/search", locals: { person: @people.order(:name).first }
+= render partial: "people/search", locals: { person: nil }

app/views/skills/index.html.haml

@@ -17,7 +17,7 @@
         %td= skill.title
         %td.table-light= skill.people.count
         %td= skill.category.title
-        %td.table-light= skill.category.parent.title
+        %td.table-light= skill.category.parent&.title
         %td= skill.default_set.nil? ? "Neu" : (skill.default_set? ? "Ja" : "Nein")
         %td.table-light= skill.radar
         %td

config/auth.yml

@@ -0,0 +1,5 @@
+client_id: pitc_skills_rails_backend
+secret: 
+host_url: https://sso-test.puzzle.ch
+realm: pitc
+admin_role: ADMIN

config/environments/development.rb

@@ -41,6 +41,8 @@
 
   config.action_mailer.perform_caching = false
 
+  config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
+
   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
 
@@ -57,7 +59,7 @@
   # routes, locales, etc. This feature depends on the listen gem.
   config.file_watcher = ActiveSupport::EventedFileUpdateChecker
 
-  # Bullet configuration 
+  # Bullet configuration
   config.after_initialize do
     Bullet.enable = true