Fix handling of ISS in Azure configuration, fix linked accounts page [SCI-7923] (#4974)

2025-09-13 08:34:49 +08:00 · 2023-02-14 16:50:15 +01:00 · 2023-02-14 16:50:15 +01:00 · 7f8f723cbe
commit 7f8f723cbe
parent aa3ea584a9
5 changed files with 26 additions and 27 deletions
--- a/app/controllers/users/settings/account/connected_accounts_controller.rb
+++ b/app/controllers/users/settings/account/connected_accounts_controller.rb
@ -9,7 +9,8 @@ module Users
        end

        def destroy
-          if Rails.configuration.x.azure_ad_apps.select { |_, v| v[:provider] == params[:provider] }.present?
+          settings = ApplicationSettings.instance
+          if settings.values['azure_ad_apps']&.find { |v| v['provider_name'] == params[:provider] }
            provider = params[:provider]
          else
            flash[:error] = t('users.settings.account.connected_accounts.errors.not_found')
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -539,18 +539,16 @@ class User < ApplicationRecord
  end

  def self.from_azure_jwt_token(token_payload)
-    includes(:user_identities)
-      .where(
-        'user_identities.provider=? AND user_identities.uid=?',
-        Rails.configuration.x.azure_ad_apps[token_payload[:aud]][:provider],
-        token_payload[:sub]
-      )
-      .references(:user_identities)
-      .take
+    settings = ApplicationSettings.instance
+    provider_conf = settings.values['azure_ad_apps']&.find { |v| v['app_id'] == token_payload[:aud] }
+    return nil unless provider_conf
+
+    joins(:user_identities)
+      .find_by(user_identities: { provider: provider_conf['provider_name'], uid: token_payload[:sub] })
  end

  def has_linked_account?(provider)
-    user_identities.where(provider: provider).exists?
+    user_identities.exists?(provider: provider)
  end

  # This method must be overwriten for addons that will be installed
--- a/app/services/api/azure_jwt.rb
+++ b/app/services/api/azure_jwt.rb
@ -9,14 +9,16 @@ module Api
    def self.fetch_rsa_key(k_id, app_id)
      cache_key = "api_azure_ad_rsa_key_#{k_id}"
      Rails.cache.fetch(cache_key, expires_in: KEYS_CACHING_PERIOD) do
-        conf_url = Rails.configuration.x.azure_ad_apps[app_id][:conf_url]
+        settings = ApplicationSettings.instance
+        provider_conf = settings.values['azure_ad_apps']&.find { |v| v['app_id'] == app_id }
+        raise JWT::VerificationError, 'Azure AD: No application configured with such ID' unless provider_conf
+
+        conf_url = provider_conf['conf_url']
        keys_url = JSON.parse(Net::HTTP.get(URI(conf_url)))['jwks_uri']
        data = JSON.parse(Net::HTTP.get(URI.parse(keys_url)))
        verif_key = data['keys'].find { |key| key['kid'] == k_id }
-        unless verif_key
-          raise JWT::VerificationError,
-                'Azure AD: No keys from key endpoint match the key in the token'
-        end
+        raise JWT::VerificationError, 'Azure AD: No keys from key endpoint match the key in the token' unless verif_key
+
        JSON::JWK.new(verif_key).to_key.to_s
      end
    end
@ -29,17 +31,13 @@ module Api
      unverified_token = JWT.decode(token, nil, false)

      k_id = unverified_token[1]['kid']
-      unless k_id
-        raise JWT::VerificationError, 'Azure AD: No Key ID in token header'
-      end
+      raise JWT::VerificationError, 'Azure AD: No Key ID in token header' unless k_id

      # Now search for matching app variables in configuration
      app_id = unverified_token[0]['aud']
-      app_config = Rails.configuration.x.azure_ad_apps[app_id]
-      unless app_config
-        raise JWT::VerificationError,
-              'Azure AD: No application configured with such ID'
-      end
+      settings = ApplicationSettings.instance
+      provider_conf = settings.values['azure_ad_apps']&.find { |v| v['app_id'] == app_id }
+      raise JWT::VerificationError, 'Azure AD: No application configured with such ID' unless provider_conf

      # Decode token payload and verify it's signature.
      payload, header = JWT.decode(
@ -51,7 +49,7 @@ module Api
        verify_aud: true,
        aud: app_id,
        verify_iss: true,
-        iss: app_config[:iss],
+        iss: provider_conf['iss'],
        nbf_leeway: LEEWAY
      )
      [HashWithIndifferentAccess.new(payload), HashWithIndifferentAccess.new(header)]
--- a/app/views/users/settings/account/connected_accounts/index.html.erb
+++ b/app/views/users/settings/account/connected_accounts/index.html.erb
@ -8,10 +8,10 @@
    <div class="row">
      <div class="col-xs-12 col-sm-12">
        <h1 class="connected-accounts-title"><%= t('users.settings.account.connected_accounts.title') %></h1>
-
-        <% if @linked_accounts.any? %>
+        <% if @linked_accounts.present? %>
          <% @linked_accounts.each do |provider| %>
-            <% if Rails.configuration.x.azure_ad_apps.find { |_,value| value[:provider] == provider || provider == 'giot_connect'} %>
+            <% settings = ApplicationSettings.instance %>
+            <% if provider == 'giot_connect' || settings.values['azure_ad_apps']&.find { |v| v['provider_name'] == provider } %>
              <% if lookup_context.exists?(provider, 'users/settings/account/connected_accounts', true) %>
                <%= render partial: provider %>
              <% else %>
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -27,6 +27,8 @@ AZURE_SETUP_PROC = lambda do |env|
  env['omniauth.strategy'].options[:tenant_id] = provider_conf['tenant_id']
  env['omniauth.strategy'].options[:sign_in_policy] = provider_conf['sign_in_policy']
  env['omniauth.strategy'].options[:name] = 'customazureactivedirectory'
+  conf_uri = URI.parse(provider_conf['conf_url'])
+  env['omniauth.strategy'].options[:base_azure_url] = "#{conf_uri.scheme || 'https'}://#{conf_uri.host}"
 end

 OKTA_SETUP_PROC = lambda do |env|