Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Save OIDC tokens to OpenProject database. #16940

Draft
wants to merge 2 commits into
base: dev
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions app/services/authentication/omniauth_service.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,33 +47,33 @@
self.contract = ::Authentication::OmniauthAuthHashContract.new(auth_hash)
end

def call(additional_user_params = nil)
inspect_response(Logger::DEBUG)

unless contract.validate
result = ServiceResult.failure(errors: contract.errors)
Rails.logger.error do
"[OmniAuth strategy #{strategy.name}] Failed to process omniauth response for #{auth_uid}: #{result.message}"
end
inspect_response(Logger::ERROR)

return result
end

# Create or update the user from omniauth
# and assign non-nil parameters from the registration form - if any
assignable_params = (additional_user_params || {}).reject { |_, v| v.nil? }
assignable_params = (additional_user_params || {}).compact
update_user_from_omniauth!(assignable_params)

# If we have a new or invited user, we still need to register them
call = activate_user!

# Update the admin flag when present successful
call = update_admin_flag(call) if call.success?

# The user should be logged in now
tap_service_result call
end

Check notice on line 76 in app/services/authentication/omniauth_service.rb

View workflow job for this annotation

GitHub Actions / rubocop

[rubocop] app/services/authentication/omniauth_service.rb#L50-L76 <Metrics/AbcSize>

Assignment Branch Condition size for call is too high. [<4, 19, 3> 19.65/17]
Raw output
app/services/authentication/omniauth_service.rb:50:5: C: Metrics/AbcSize: Assignment Branch Condition size for call is too high. [<4, 19, 3> 19.65/17]

private

Expand All @@ -99,7 +99,7 @@
# After login flow
def tap_service_result(call)
if call.success? && user.active?
OpenProject::Hook.call_hook :omniauth_user_authorized, { auth_hash:, controller: }
OpenProject::Hook.call_hook :omniauth_user_authorized, { auth_hash:, controller:, user: }
# Call deprecated login hook
OpenProject::OmniAuth::Authorization.after_login! user, auth_hash, self
end
Expand Down Expand Up @@ -165,7 +165,7 @@
def remap_existing_user
return unless Setting.oauth_allow_remapping_of_existing_users?

User.not_builtin.find_by_login(user_attributes[:login]) # rubocop:disable Rails/DynamicFindBy
User.not_builtin.find_by_login(user_attributes[:login])
end

##
Expand Down Expand Up @@ -285,7 +285,7 @@
# Try to provide some context of the auth_hash in case of errors
def auth_uid
hash = auth_hash || {}
hash.dig(:info, :uid) || hash.dig(:uid) || "unknown"
hash.dig(:info, :uid) || hash[:uid] || "unknown"
end
end
end
34 changes: 34 additions & 0 deletions db/migrate/20240806174815_add_tokens_to_oidc_user_session_links.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++

class AddTokensToOidcUserSessionLinks < ActiveRecord::Migration[7.1]
def change
add_column :oidc_user_session_links, :access_token, :string
add_column :oidc_user_session_links, :refresh_token, :string
end
end
Original file line number Diff line number Diff line change
@@ -1,3 +1,31 @@
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2024 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++

module OpenIDConnect
class UserSessionLink < ::ApplicationRecord
self.table_name = "oidc_user_session_links"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,11 @@ class Engine < ::Rails::Engine
end

# Remember oidc session values when logging in user
h[:retain_from_session] = %w[omniauth.oidc_sid]
h[:retain_from_session] = %w[
omniauth.oidc_sid
omniauth.oidc_access_token
omniauth.oidc_refresh_token
]

h[:backchannel_logout_callback] = ->(logout_token) do
::OpenProject::OpenIDConnect::SessionMapper.handle_logout(logout_token)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,22 @@ class Hook < OpenProject::Hook::Listener
def user_logged_in(context)
session = context[:session]
oidc_sid = session["omniauth.oidc_sid"]

return if oidc_sid.nil?

::OpenProject::OpenIDConnect::SessionMapper.handle_login(oidc_sid, session)
end

##
# Called once omniauth has returned with an auth hash
# NOTE: It's a passthrough as we no longer persist the access token into the cookie
def omniauth_user_authorized(_context); end
def omniauth_user_authorized(context)
controller = context.fetch(:controller)
session = controller.session

session["omniauth.oidc_access_token"] = context.dig(:auth_hash, :credentials, :token)
session["omniauth.oidc_refresh_token"] = context.dig(:auth_hash, :credentials, :refresh_token)
nil
end
end
end
end
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ def self.handle_login(oidc_session, session)
return
end

link = ::OpenIDConnect::UserSessionLink.new(oidc_session:)
link = ::OpenIDConnect::UserSessionLink.new(oidc_session:,
access_token: session["omniauth.oidc_access_token"],
refresh_token: session["omniauth.oidc_refresh_token"])
new(link).link_to_internal!(session)
rescue StandardError => e
Rails.logger.error { "Failed to map OIDC session to internal: #{e.message}" }
Expand Down
Loading