diff --git a/Gemfile.lock b/Gemfile.lock index 63d3ab67f..449677344 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -301,7 +301,7 @@ GEM js_cookie_rails (2.2.0) railties (>= 3.1) json (1.8.6) - json-jwt (1.10.2) + json-jwt (1.11.0) activesupport (>= 4.2) aes_key_wrap bindata @@ -346,7 +346,7 @@ GEM mini_magick (4.9.5) mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.11.3) + minitest (5.13.0) momentjs-rails (2.17.1) railties (>= 3.1) msgpack (1.3.1) @@ -590,7 +590,7 @@ GEM wkhtmltopdf-heroku (2.12.5.0) xpath (3.2.0) nokogiri (~> 1.8) - zeitwerk (2.1.10) + zeitwerk (2.2.1) PLATFORMS ruby diff --git a/app/controllers/api/api_controller.rb b/app/controllers/api/api_controller.rb index 52b81f169..a7e952991 100644 --- a/app/controllers/api/api_controller.rb +++ b/app/controllers/api/api_controller.rb @@ -80,7 +80,7 @@ module Api end # Default token implementation - unless iss == Api.configuration.core_api_token_iss + unless iss == Rails.configuration.x.core_api_token_iss raise JWT::InvalidPayload, I18n.t('api.core.wrong_iss') end payload = CoreJwt.decode(token) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 376607973..212b23aca 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -28,7 +28,11 @@ class RepositoriesController < ApplicationController render 'repositories/index' end - def show; end + def show + @display_edit_button = can_create_repository_rows?(@repository) + @display_delete_button = can_delete_repository_rows?(@repository) + @display_duplicate_button = can_create_repository_rows?(@repository) + end def create_modal @repository = Repository.new diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index 6c6dc6944..ffab95602 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -12,8 +12,9 @@ class RepositoryRowsController < ApplicationController copy_records available_rows) before_action :check_create_permissions, only: :create + before_action :check_delete_permissions, only: :delete_records before_action :check_manage_permissions, - only: %i(edit update delete_records copy_records) + only: %i(edit update copy_records) def index @draw = params[:draw].to_i @@ -372,6 +373,10 @@ class RepositoryRowsController < ApplicationController render_403 unless can_manage_repository_rows?(@repository) end + def check_delete_permissions + render_403 unless can_delete_repository_rows?(@repository) + end + def record_params params.permit(:repository_row_name).to_h end diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb index 3c2b0af94..a52c97e8e 100644 --- a/app/controllers/users/sessions_controller.rb +++ b/app/controllers/users/sessions_controller.rb @@ -1,4 +1,8 @@ +# frozen_string_literal: true + class Users::SessionsController < Devise::SessionsController + layout :session_layout + # before_filter :configure_sign_in_params, only: [:create] after_action :after_sign_in, only: :create @@ -8,6 +12,7 @@ class Users::SessionsController < Devise::SessionsController # GET /resource/sign_in def new + @simple_sign_in = params[:simple_sign_in] == 'true' # If user was redirected here from OAuth's authorize/new page (Doorkeeper # endpoint for authorizing an OAuth client), 3rd party sign-in buttons # (e.g. LinkedIn) should be hidden. See config/initializers/devise.rb. @@ -76,4 +81,14 @@ class Users::SessionsController < Devise::SessionsController def configure_sign_in_params devise_parameter_sanitizer.for(:sign_in) << :attribute end + + private + + def session_layout + if @simple_sign_in + 'sign_in_halt' + else + 'layouts/main' + end + end end diff --git a/app/controllers/users/settings/account/connected_accounts_controller.rb b/app/controllers/users/settings/account/connected_accounts_controller.rb new file mode 100644 index 000000000..2edee3954 --- /dev/null +++ b/app/controllers/users/settings/account/connected_accounts_controller.rb @@ -0,0 +1,19 @@ +module Users + module Settings + module Account + class ConnectedAccountsController < ApplicationController + layout 'fluid' + + def index + @linked_accounts = current_user.user_identities.pluck(:provider) + end + + def destroy + current_user.user_identities.where(provider: params.require(:provider)).take&.destroy! + @linked_accounts = current_user.user_identities.pluck(:provider) + render :index + end + end + end + end +end diff --git a/app/helpers/left_menu_bar_helper.rb b/app/helpers/left_menu_bar_helper.rb index 13c0260d8..536ef7391 100644 --- a/app/helpers/left_menu_bar_helper.rb +++ b/app/helpers/left_menu_bar_helper.rb @@ -18,7 +18,7 @@ module LeftMenuBarHelper end def settings_are_selected? - controller_name.in? %(registrations preferences addons teams) + controller_name.in? %(registrations preferences addons teams connected_accounts) end def activities_are_selected? diff --git a/app/helpers/user_settings_helper.rb b/app/helpers/user_settings_helper.rb index 448ef9b63..3332564e0 100644 --- a/app/helpers/user_settings_helper.rb +++ b/app/helpers/user_settings_helper.rb @@ -2,7 +2,8 @@ module UserSettingsHelper def on_settings_account_page? controller_name == 'registrations' && action_name == 'edit' || controller_name == 'preferences' && action_name == 'index' || - controller_name == 'addons' && action_name == 'index' + controller_name == 'addons' && action_name == 'index' || + controller_name == 'connected_accounts' end def on_settings_account_profile_page? @@ -21,4 +22,8 @@ module UserSettingsHelper controller_name.in?(%w(teams audits)) && action_name.in?(%w(index new create show audits_index)) end + + def on_settings_account_connected_accounts_page? + controller_name == 'connected_accounts' + end end diff --git a/app/models/user.rb b/app/models/user.rb index 973f6415d..149fe3a52 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -486,7 +486,7 @@ class User < ApplicationRecord includes(:user_identities) .where( 'user_identities.provider=? AND user_identities.uid=?', - Api.configuration.azure_ad_apps[token_payload[:aud]][:provider], + Rails.configuration.x.azure_ad_apps[token_payload[:aud]][:provider], token_payload[:sub] ) .references(:user_identities) diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb index 05e018c89..47b78d9c8 100644 --- a/app/permissions/repository.rb +++ b/app/permissions/repository.rb @@ -30,6 +30,14 @@ Canaid::Permissions.register_for(Repository) do can_create_repository_rows?(user, repository) end + can :update_repository_rows do |user, repository| + can_manage_repository_rows?(user, repository) + end + + can :delete_repository_rows do |user, repository| + can_manage_repository_rows?(user, repository) + end + # repository: create field can :create_repository_columns do |user, repository| can_create_repository_rows?(user, repository) unless repository.shared_with?(user.current_team) diff --git a/app/services/api.rb b/app/services/api.rb deleted file mode 100644 index 322d01e26..000000000 --- a/app/services/api.rb +++ /dev/null @@ -1,31 +0,0 @@ -module Api - class << self - attr_accessor :configuration - end - - def self.configuration - @configuration ||= Configuration.new - end - - def self.configure - yield(configuration) - end - - class Configuration - attr_accessor :core_api_sign_alg - attr_accessor :core_api_token_ttl - attr_accessor :core_api_token_iss - attr_accessor :azure_ad_apps - attr_accessor :core_api_v1_enabled - attr_accessor :core_api_rate_limit - - def initialize - @core_api_sign_alg = 'HS256' - @core_api_token_ttl = 30.minutes - @core_api_token_iss = 'SciNote' - @azure_ad_apps = {} - @core_api_v1_enabled = false - @core_api_rate_limit = 1000 - end - end -end diff --git a/app/services/api/azure_jwt.rb b/app/services/api/azure_jwt.rb index 4df270651..f6804d2ce 100644 --- a/app/services/api/azure_jwt.rb +++ b/app/services/api/azure_jwt.rb @@ -9,7 +9,7 @@ module Api def self.fetch_rsa_key(k_id, app_id) cache_key = "api_azure_ad_rsa_key_#{k_id}" Rails.cache.fetch(cache_key, expires_in: KEYS_CACHING_PERIOD) do - conf_url = Api.configuration.azure_ad_apps[app_id][:conf_url] + conf_url = Rails.configuration.x.azure_ad_apps[app_id][:conf_url] keys_url = JSON.parse(Net::HTTP.get(URI(conf_url)))['jwks_uri'] data = JSON.parse(Net::HTTP.get(URI.parse(keys_url))) verif_key = data['keys'].find { |key| key['kid'] == k_id } @@ -35,7 +35,7 @@ module Api # Now search for matching app variables in configuration app_id = unverified_token[0]['aud'] - app_config = Api.configuration.azure_ad_apps[app_id] + app_config = Rails.configuration.x.azure_ad_apps[app_id] unless app_config raise JWT::VerificationError, 'Azure AD: No application configured with such ID' diff --git a/app/services/api/core_jwt.rb b/app/services/api/core_jwt.rb index 10c39850a..14b0b2795 100644 --- a/app/services/api/core_jwt.rb +++ b/app/services/api/core_jwt.rb @@ -7,15 +7,15 @@ module Api if expires_at payload[:exp] = expires_at else - payload[:exp] = Api.configuration.core_api_token_ttl.from_now.to_i + payload[:exp] = Rails.configuration.x.core_api_token_ttl.from_now.to_i end - payload[:iss] = Api.configuration.core_api_token_iss - JWT.encode(payload, KEY_SECRET, Api.configuration.core_api_sign_alg) + payload[:iss] = Rails.configuration.x.core_api_token_iss + JWT.encode(payload, KEY_SECRET, Rails.configuration.x.core_api_sign_alg) end def self.decode(token) HashWithIndifferentAccess.new( - JWT.decode(token, KEY_SECRET, Api.configuration.core_api_sign_alg)[0] + JWT.decode(token, KEY_SECRET, Rails.configuration.x.core_api_sign_alg)[0] ) end diff --git a/app/views/layouts/sign_in_halt.html.erb b/app/views/layouts/sign_in_halt.html.erb index b9a4f43b7..0e799efb2 100644 --- a/app/views/layouts/sign_in_halt.html.erb +++ b/app/views/layouts/sign_in_halt.html.erb @@ -27,11 +27,13 @@ <%= image_tag('/images/scinote_icon.jpg', id: 'logo') %> -
- <%= link_to main_app.destroy_user_session_path, class: 'btn btn-default', method: :delete do %> - <%= t('nav.user.logout') %> - <% end %> -
+ <% if user_signed_in? %> +
+ <%= link_to main_app.destroy_user_session_path, class: 'btn btn-default', method: :delete do %> + <%= t('nav.user.logout') %> + <% end %> +
+ <% end %> <% if flash[:error]%> diff --git a/app/views/repositories/show.html.erb b/app/views/repositories/show.html.erb index ef664aeb2..6a931cd9b 100644 --- a/app/views/repositories/show.html.erb +++ b/app/views/repositories/show.html.erb @@ -128,21 +128,29 @@ <% end %> <% if can_manage_repository_rows?(@repository) %> - - - + + <%if @display_edit_button %> + + <% end %> + + <%if @display_delete_button %> + + <% end %> + + <%if @display_duplicate_button %> + + <%end%> <% elsif @repository.shared_with?(current_team) %>

<%= t('repositories.index.view_only_permission_label') %>

<% end %> diff --git a/app/views/users/sessions/new.html.erb b/app/views/users/sessions/new.html.erb index 9f87fcf33..245e51f83 100644 --- a/app/views/users/sessions/new.html.erb +++ b/app/views/users/sessions/new.html.erb @@ -18,17 +18,19 @@ <%= f.password_field :password, autocomplete: "off", class: "form-control", placeholder: t("devise.sessions.new.password_placeholder") %> - <% if devise_mapping.rememberable? -%> + <% if devise_mapping.rememberable? && !@simple_sign_in %>
<%= f.check_box :remember_me %> <%= f.label :remember_me %>
- <% end -%> + <% end %> + + <%= hidden_field_tag(:simple_sign_in, @simple_sign_in) %>
<%= f.submit t("devise.sessions.new.submit"), class: "btn btn-primary" %>
<% end %> - <%= render "users/shared/links" %> + <%= render "users/shared/links" unless @simple_sign_in %> diff --git a/app/views/users/settings/_sidebar.html.erb b/app/views/users/settings/_sidebar.html.erb index a68b5c6c9..82530afef 100644 --- a/app/views/users/settings/_sidebar.html.erb +++ b/app/views/users/settings/_sidebar.html.erb @@ -56,6 +56,20 @@ <% end %> + +
  • + + <% if on_settings_account_connected_accounts_page? %> + "> + <%= t("users.settings.sidebar.account_nav.connected_accounts") %> + + <% else %> + <%= link_to t("users.settings.sidebar.account_nav.connected_accounts"), + connected_accounts_path, + data: { 'no-turbolink' => 'true' } %> + <% end %> + +
    • diff --git a/app/views/users/settings/account/connected_accounts/_azure_ad.html.erb b/app/views/users/settings/account/connected_accounts/_azure_ad.html.erb new file mode 100644 index 000000000..119bd8d65 --- /dev/null +++ b/app/views/users/settings/account/connected_accounts/_azure_ad.html.erb @@ -0,0 +1,24 @@ +
    +
    +
    + <%= t('users.settings.account.connected_accounts.azure_ad.title') %>
    +

    <%= t('users.settings.account.connected_accounts.azure_ad.connect_hint') %>

    +
    +
    +
    + + <%= t('users.settings.account.connected_accounts.azure_ad.connected') %> + + +
    +
    + <%= link_to t('users.settings.account.connected_accounts.azure_ad.unlink_button'), + '#unlinkAzureADModal', + class: 'btn btn-danger', + data: { toggle: 'modal'} %> +
    +
    +
    +
    + +<%= render partial: 'users/settings/account/connected_accounts/unlink_modals/azure_ad_modal', locals: { provider: provider } %> diff --git a/app/views/users/settings/account/connected_accounts/index.html.erb b/app/views/users/settings/account/connected_accounts/index.html.erb new file mode 100644 index 000000000..a8c63b402 --- /dev/null +++ b/app/views/users/settings/account/connected_accounts/index.html.erb @@ -0,0 +1,31 @@ +<% provide(:head_title, t("users.settings.account.connected_accounts.head_title")) %> + +<%= render partial: "users/settings/sidebar.html.erb" %> +
    +
    + +
    +
    +

    <%= t('users.settings.account.connected_accounts.title') %>

    + + <% if @linked_accounts.any? %> + <% @linked_accounts.each do |provider| %> + <% if Rails.configuration.x.azure_ad_apps.find { |_,value| value[:provider] == provider } %> + <% if lookup_context.exists?(provider, 'users/settings/account/connected_accounts', true) %> + <%= render partial: provider %> + <% else %> + <%= render partial: 'azure_ad', locals: { provider: provider } %> + <% end %> + <% end %> + <% end %> + <% else %> +
    + <%= t('users.settings.account.connected_accounts.not_connected') %> +
    + <% end %> + +
    +
    +
    +
    +
    diff --git a/app/views/users/settings/account/connected_accounts/unlink_modals/_azure_ad_modal.html.erb b/app/views/users/settings/account/connected_accounts/unlink_modals/_azure_ad_modal.html.erb new file mode 100644 index 000000000..7cd417403 --- /dev/null +++ b/app/views/users/settings/account/connected_accounts/unlink_modals/_azure_ad_modal.html.erb @@ -0,0 +1,23 @@ + diff --git a/config/initializers/api.rb b/config/initializers/api.rb index dd4ece455..e49c585a8 100644 --- a/config/initializers/api.rb +++ b/config/initializers/api.rb @@ -1,36 +1,13 @@ -Api.configure do |config| - if ENV['CORE_API_SIGN_ALG'] - config.core_api_sign_alg = ENV['CORE_API_SIGN_ALG'] - end - if ENV['CORE_API_TOKEN_TTL'] - config.core_api_token_ttl = ENV['CORE_API_TOKEN_TTL'].to_i.seconds - end - if ENV['CORE_API_TOKEN_ISS'] - config.core_api_token_iss = ENV['CORE_API_TOKEN_ISS'] - end +# frozen_string_literal: true - config.core_api_rate_limit = - ENV['CORE_API_RATE_LIMIT'] ? ENV['CORE_API_RATE_LIMIT'].to_i : 1000 +Rails.application.configure do + config.x.core_api_sign_alg = ENV['CORE_API_SIGN_ALG'] || 'HS256' - config.core_api_v1_enabled = true if ENV['CORE_API_V1_ENABLED'] + config.x.core_api_token_ttl = ENV['CORE_API_TOKEN_TTL'] ? ENV['CORE_API_TOKEN_TTL'].to_i.seconds : 30.minutes - vars = ENV.select { |name, _| name =~ /^[[:alnum:]]*_AZURE_AD_APP_ID/ } - vars.each do |name, value| - app_name = name.sub('_AZURE_AD_APP_ID', '') - config.azure_ad_apps[value] = {} + config.x.core_api_token_iss = ENV['CORE_API_TOKEN_ISS'] || 'SciNote' - iss = ENV["#{app_name}_AZURE_AD_ISS"] - raise StandardError, "No ISS for #{app_name} Azure app" unless iss - config.azure_ad_apps[value][:iss] = iss + config.x.core_api_rate_limit = ENV['CORE_API_RATE_LIMIT'] ? ENV['CORE_API_RATE_LIMIT'].to_i : 1000 - conf_url = ENV["#{app_name}_AZURE_AD_CONF_URL"] - raise StandardError, "No CONF_URL for #{app_name} Azure app" unless conf_url - config.azure_ad_apps[value][:conf_url] = conf_url - - provider = ENV["#{app_name}_AZURE_AD_PROVIDER_NAME"] - unless provider - raise StandardError, "No PROVIDER_NAME for #{app_name} Azure app" - end - config.azure_ad_apps[value][:provider] = provider - end + config.x.core_api_v1_enabled = ENV['CORE_API_V1_ENABLED'] || false end diff --git a/config/initializers/azure_ad.rb b/config/initializers/azure_ad.rb new file mode 100644 index 000000000..78cfc9b23 --- /dev/null +++ b/config/initializers/azure_ad.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +Rails.application.configure do + vars = ENV.select { |name, _| name =~ /^[[:alnum:]]*_AZURE_AD_APP_ID/ } + vars.each do |name, value| + app_name = name.sub('_AZURE_AD_APP_ID', '') + config.x.azure_ad_apps[value] = {} + + iss = ENV["#{app_name}_AZURE_AD_ISS"] + raise StandardError, "No ISS for #{app_name} Azure app" unless iss + + config.x.azure_ad_apps[value][:iss] = iss + + conf_url = ENV["#{app_name}_AZURE_AD_CONF_URL"] + raise StandardError, "No CONF_URL for #{app_name} Azure app" unless conf_url + + config.x.azure_ad_apps[value][:conf_url] = conf_url + + provider = ENV["#{app_name}_AZURE_AD_PROVIDER_NAME"] + raise StandardError, "No PROVIDER_NAME for #{app_name} Azure app" unless provider + + config.x.azure_ad_apps[value][:provider] = provider + end +end diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 517c8e1ac..a5605e726 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -2,10 +2,10 @@ return unless Rails.env.production? -return if Api.configuration.core_api_rate_limit.zero? +return if Rails.configuration.x.core_api_rate_limit.zero? Rack::Attack.throttle('api requests by ip', - limit: Api.configuration.core_api_rate_limit, + limit: Rails.configuration.x.core_api_rate_limit, period: 60) do |request| request.ip if request.path.match?(%r{^\/api\/}) end diff --git a/config/locales/en.yml b/config/locales/en.yml index 28a37488e..3bbed6ecf 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1463,6 +1463,7 @@ en: profile: "Profile" preferences: "Preferences" addons: "Add-ons" + connected_accounts: "Connected Accounts" account: preferences: head_title: "Settings | My preferences" @@ -1483,6 +1484,19 @@ en: head_title: "Settings | Add-ons" title: "Add-ons" no_addons: "You have no SciNote Add-ons." + connected_accounts: + head_title: "Settings | Connected Accounts" + title: "Connected Accounts" + not_connected: "You have no Connected accounts" + azure_ad: + title: "Your Azure AD Account" + connect_hint: "Allows you to sign in with your Azure AD account." + connected: "Connected" + unlink_button: "Unlink" + unlink_modal: + title: "Unlink Azure AD account?" + description_1: "Are you sure you would like unlink Azure AD and SciNote accounts?" + submit_button: "Submit" teams: head_title: "Settings | Teams" breadcrumbs: diff --git a/config/routes.rb b/config/routes.rb index f5a625daa..d878067ff 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -62,6 +62,12 @@ Rails.application.routes.draw do get 'users/settings/account/addons', to: 'users/settings/account/addons#index', as: 'addons' + get 'users/settings/account/connected_accounts', + to: 'users/settings/account/connected_accounts#index', + as: 'connected_accounts' + delete 'users/settings/account/connected_accounts', + to: 'users/settings/account/connected_accounts#destroy', + as: 'unlink_connected_account' put 'users/settings/account/preferences', to: 'users/settings/account/preferences#update', as: 'update_preferences' @@ -620,7 +626,7 @@ Rails.application.routes.draw do namespace :api, defaults: { format: 'json' } do get 'health', to: 'api#health' get 'status', to: 'api#status' - if Api.configuration.core_api_v1_enabled || Rails.env.development? + if Rails.configuration.x.core_api_v1_enabled namespace :v1 do resources :teams, only: %i(index show) do resources :inventories,