Merge pull request #2531 from okriuchykhin/ok_SCI_4544_v2

Add option for storing Azure app configs in settings using JSON format [SCI-4544]
2025-02-24 15:54:00 +08:00 · 2020-05-05 16:27:56 +02:00 · 2020-05-05 16:27:56 +02:00 · a33737c5b7
commit a33737c5b7
parent cc72c39eda d5e3ac2769
7 changed files with 77 additions and 36 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -28,25 +28,40 @@ module Users
      email = auth.info.email
      email ||= auth.dig(:extra, :raw_info, :id_token_claims, :emails)&.first
      user = User.from_omniauth(auth)
-      if user
-        # User found in database so just sign in him
-        sign_in_and_redirect(user)
-      elsif email.present?
-        user = User.find_by(email: email)

-        if user.blank?
-          # Create new user and identity
-          User.create_from_omniauth!(auth)
-          sign_in_and_redirect(user)
-        elsif provider_conf[:auto_link_on_sign_in]
-          # Link to existing local account
+      # User found in database so just signing in
+      return sign_in_and_redirect(user) if user.present?
+
+      if email.blank?
+        # No email in the token so can not link or create user
+        error_message = I18n.t('devise.azure.errors.no_email')
+        return redirect_to after_omniauth_failure_path_for(resource_name)
+      end
+
+      user = User.find_by(email: email)
+
+      if user.blank?
+        # Create new user and identity
+        full_name = "#{auth.info.first_name} #{auth.info.last_name}"
+        user = User.new(full_name: full_name,
+                        initials: generate_initials(full_name),
+                        email: email,
+                        password: generate_user_password)
+        User.transaction do
+          user.save!
          user.user_identities.create!(provider: auth.provider, uid: auth.uid)
-          sign_in_and_redirect(user)
-        else
-          # Cannot do anything with it, so just return an error
-          error_message = I18n.t('devise.azure.errors.no_local_user_map')
-          redirect_to after_omniauth_failure_path_for(resource_name)
+          user.update!(confirmed_at: user.created_at)
        end
+
+        sign_in_and_redirect(user)
+      elsif provider_conf[:auto_link_on_sign_in]
+        # Link to existing local account
+        user.user_identities.create!(provider: auth.provider, uid: auth.uid)
+        sign_in_and_redirect(user)
+      else
+        # Cannot do anything with it, so just return an error
+        error_message = I18n.t('devise.azure.errors.no_local_user_map')
+        redirect_to after_omniauth_failure_path_for(resource_name)
      end
    rescue StandardError => e
      Rails.logger.error e.message
--- a/app/models/application_settings.rb
+++ b/app/models/application_settings.rb
@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class ApplicationSettings < Settings
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -354,20 +354,6 @@ class User < ApplicationRecord
      .take
  end

-  def self.create_from_omniauth!(auth)
-    full_name = "#{auth.info.first_name} #{auth.info.last_name}"
-    user = User.new(full_name: full_name,
-                    initials: generate_initials(full_name),
-                    email: email,
-                    password: generate_user_password)
-    User.transaction do
-      user.save!
-      user.user_identities.create!(provider: auth.provider, uid: auth.uid)
-      user.update!(confirmed_at: user.created_at)
-    end
-    user
-  end
-
  # Search all active users for username & email. Can
  # also specify which team to ignore.
  def self.search(
--- a/config/initializers/azure_ad.rb
+++ b/config/initializers/azure_ad.rb
@ -34,4 +34,39 @@ Rails.application.configure do
      config.x.azure_ad_apps[value][:sign_in_policy] = ENV["#{app_name}_AZURE_AD_SIGN_IN_POLICY"]
    end
  end
+
+  # Checking additional configurations in ApplicationSettings JSON. Key and values should be strings there.
+  begin
+    if ApplicationSettings.instance.values['azure_ad_apps']&.is_a?(Array)
+      config.x.azure_ad_apps ||= HashWithIndifferentAccess.new
+      settings = ApplicationSettings.instance
+
+      settings.values['azure_ad_apps'].each do |azure_ad_app|
+        app_config = {}
+        app_id = azure_ad_app['app_id']
+        Rails.logger.error('No app_id present for the entry in Azure app settings') && next unless app_id
+
+        app_config[:iss] = azure_ad_app['iss']
+        Rails.logger.error("No iss for #{app_id} Azure app") && next unless app_config[:iss]
+
+        app_config[:conf_url] = azure_ad_app['conf_url']
+        Rails.logger.error("No conf_url for #{app_id} Azure app") && next unless app_config[:conf_url]
+
+        app_config[:provider] = azure_ad_app['provider_name']
+        Rails.logger.error("No provider_name for #{app_id} Azure app") && next unless app_config[:provider]
+
+        app_config[:enable_sign_in] = azure_ad_app['enable_sign_in'] == 'true'
+
+        if app_config[:enable_sign_in]
+          app_config[:sign_in_label] = azure_ad_app['sign_in_label'] || 'Sign in with Azure AD'
+          app_config[:auto_link_on_sign_in] = azure_ad_app['auto_link_on_sign_in'] == 'true'
+          app_config[:sign_in_policy] = azure_ad_app['sign_in_policy'] if azure_ad_app['sign_in_policy']
+        end
+
+        config.x.azure_ad_apps[app_id] = app_config
+      end
+    end
+  rescue ActiveRecord::ActiveRecordError, PG::ConnectionBad
+    Rails.logger.info('Not connected to database, skipping additional Azure AD configuration')
+  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -60,6 +60,7 @@ en:
      errors:
        generic: "Failed to sign in user"
        no_local_user_map: "No local user record found"
+        no_email: "Email is missing in auth token"
        failed_to_save: "Failed to create new user"

  doorkeeper:
--- a/lib/omniauth/strategies/custom_azure_active_directory.rb
+++ b/lib/omniauth/strategies/custom_azure_active_directory.rb
@ -25,7 +25,7 @@ module OmniAuth
          response_mode: response_mode,
          response_type: response_type,
          nonce: new_nonce,
-          scope: 'openid'
+          scope: 'openid profile email'
        }
        params[:p] = options[:sign_in_policy] if options[:sign_in_policy].present?

--- a/yarn.lock
+++ b/yarn.lock
@ -1136,7 +1136,7 @@ adjust-sourcemap-loader@^1.1.0:
    object-path "^0.9.2"
    regex-parser "^2.2.9"

-agent-base@4, agent-base@^4.1.0:
+agent-base@4, agent-base@^4.3.0:
  version "4.3.0"
  resolved "https://registry.yarnpkg.com/agent-base/-/agent-base-4.3.0.tgz#8165f01c436009bccad0b1d122f05ed770efc6ee"
  integrity sha512-salcGninV0nPrwpGNn4VTXBb1SOuXQBiqbrNXoeizJsHrsL6ERFM2Ne3JUSBWRE6aeNJI2ROP/WEEIDUiDe3cg==
@ -4659,11 +4659,11 @@ https-browserify@^1.0.0:
  integrity sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM=

 https-proxy-agent@^2.2.0:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz#51552970fa04d723e04c56d04178c3f92592bbc0"
-  integrity sha512-HPCTS1LW51bcyMYbxUIOO4HEOlQ1/1qRaFWcyxvwaqUS9TY88aoEuHUY33kuAh1YhVVaDQhLZsnPd+XNARWZlQ==
+  version "2.2.4"
+  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-2.2.4.tgz#4ee7a737abd92678a293d9b34a1af4d0d08c787b"
+  integrity sha512-OmvfoQ53WLjtA9HeYP9RNrWMJzzAz1JGaSFr1nijg0PVR1JaD/xbJq1mdEIIlxGpXp9eSe/O2LgU9DJmTPd0Eg==
  dependencies:
-    agent-base "^4.1.0"
+    agent-base "^4.3.0"
    debug "^3.1.0"

 iconv-lite@0.4.24, iconv-lite@^0.4.17, iconv-lite@^0.4.24, iconv-lite@^0.4.4, iconv-lite@~0.4.13: