first try porting from CAS omniauth to SAML

Author: Christian Rodriguez

Gemfile

@@ -1,2 +1,2 @@
 gem 'omniauth', '>= 1.1.1'
-gem 'omniauth-cas', '>= 1.0.1'
+gem 'omniauth-saml', '~> 1.0.0'

TODO

@@ -0,0 +1,3 @@
+arreglar los settings (ahora se hardocdean)
+logout
+

app/views/redmine_omniauth_saml/_view_account_login_top.html.erb

@@ -0,0 +1,11 @@
+<% if Redmine::OmniAuthSAML.enabled? %>
+
+<% content_for :header_tags do %>
+  <%= stylesheet_link_tag "login", :plugin => "redmine_omniauth_saml" %>
+<% end %>
+
+<div id="saml-login">
+  <%= link_to label_for_saml_login, :controller => "account", :action => "login_with_saml_redirect", :provider => "saml", :origin => back_url %>
+</div>
+
+<% end %>

app/views/settings/_omniauth_saml_settings.html.erb

@@ -0,0 +1,26 @@
+<% flash.now[:error] = "#{l("label_cas_server")} #{l("activerecord.errors.messages.blank")}" if @settings['cas_server'].blank? %>
+
+<p>
+  <label><%= l(:label_cas_enabled) %></label>
+  <%= check_box_tag 'settings[enabled]', true, @settings['enabled'] %>
+</p>
+<p>
+  <label><%= l(:label_cas_server) %><span class="required"> *</span></label>
+  <%= text_field_tag 'settings[cas_server]', @settings['cas_server'], :size => 50 %>
+  <br />
+  <em><%= l(:label_example) %>: https://cas.example.com</em>
+</p>
+<p>
+  <label><%= l(:label_cas_service_validate_url) %></label>
+  <%= text_field_tag 'settings[cas_service_validate_url]', @settings['cas_service_validate_url'], :size => 50 %>
+  <br />
+  <em><%= l(:label_example) %>: https://cas.example.net/serviceValidate</em>
+</p>
+<p>
+  <label><%= l(:label_login_page_text) %></label>
+  <%= text_field_tag 'settings[label_login_with_cas]', @settings['label_login_with_cas'], :size => 50 %>
+</p>
+<p>
+  <label><%= l(:label_replace_redmine_login) %></label>
+  <%= check_box_tag 'settings[replace_redmine_login]', true, @settings['replace_redmine_login'] %>
+</p>

assets/stylesheets/login.css

@@ -1,9 +1,9 @@
-#cas-login { margin:3em auto 0; font-size:16px; font-weight:bold; text-align:center; }
-#cas-login a, #cas-login a:hover {
+#saml-login { margin:3em auto 0; font-size:16px; font-weight:bold; text-align:center; }
+#saml-login a, #saml-login a:hover {
   display:inline-block; padding:0.4em 1em; max-width:800px; text-align:center;
   color:#fff; background-color:#78cc01; text-decoration:none !important; text-shadow:1px 1px 1px #666;
   -moz-border-radius:20px; -webkit-border-radius:20px; border-radius:20px;
 }
-#cas-login a:hover { background-color:#70c600; }
-#cas-login a:active { position:relative; top:1px; }
+#saml-login a:hover { background-color:#70c600; }
+#saml-login a:active { position:relative; top:1px; }
 #login-form table { margin-top:2em; }

config/locales/en.yml

@@ -6,7 +6,7 @@ en:
   label_cas_service_validate_url: CAS validation URL (if different)
   label_replace_redmine_login: Replace Redmine login page
   text_full_logout_proposal: You may want to %{value} before trying an other username.
-  text_logout_from_cas: logout from CAS
-  error_cas_no_ticket: No CAS ticket was found during callback.
-  error_cas_invalid_ticket: An invalid CAS ticket was specified, it may have expired. Please try authenticating in again.
-  error_cas_unknown: An unknown error occurred during CAS callback processing.
+  text_logout_from_saml: logout from SAML
+  error_saml_no_ticket: No CAS ticket was found during callback.
+  error_saml_invalid_ticket: An invalid CAS ticket was specified, it may have expired. Please try authenticating in again.
+  error_saml_unknown: An unknown error occurred during CAS callback processing.

config/routes.rb

@@ -1,5 +1,5 @@
 RedmineApp::Application.routes.draw do
-  match 'auth/failure', :to => 'account#login_with_cas_failure'
-  match 'auth/:provider/callback', :to => 'account#login_with_cas_callback'
-  match 'auth/:provider', :to => 'account#login_with_cas_redirect'
+  match 'auth/failure', :to => 'account#login_with_saml_failure'
+  match 'auth/:provider/callback', :to => 'account#login_with_saml_callback'
+  match 'auth/:provider', :to => 'account#login_with_saml_redirect'
 end

init.rb

@@ -1,55 +1,23 @@
 require 'redmine'
-require 'redmine_omniauth_cas'
-require 'redmine_omniauth_cas/hooks'
-require 'omniauth/patches'
-require 'omniauth/dynamic_full_host'
+require 'redmine_omniauth_saml'
+require 'redmine_omniauth_saml/hooks'
 
 # Patches to existing classes/modules
 ActionDispatch::Callbacks.to_prepare do
-  require_dependency 'redmine_omniauth_cas/account_helper_patch'
-  require_dependency 'redmine_omniauth_cas/account_controller_patch'
+  require_dependency 'redmine_omniauth_saml/account_helper_patch'
+  require_dependency 'redmine_omniauth_saml/account_controller_patch'
 end
 
 # Plugin generic informations
-Redmine::Plugin.register :redmine_omniauth_cas do
-  name 'Redmine Omniauth plugin'
-  description 'This plugin adds Omniauth support to Redmine'
-  author 'Jean-Baptiste BARTH'
-  author_url 'mailto:[email protected]'
-  url 'https://github.com/jbbarth/redmine_omniauth_cas'
-  version '0.1.2'
-  requires_redmine :version_or_higher => '2.0.0'
-  settings :default => { 'enabled' => 'true', 'label_login_with_cas' => '', 'cas_server' => '' },
-           :partial => 'settings/omniauth_cas_settings'
+Redmine::Plugin.register :redmine_omniauth_saml do
+  name 'Redmine Omniauth SAML plugin'
+  description 'This plugin adds Omniauth SAML support to Redmine. Based in Omniauth CAS plugin'
+  author 'Christian A. Rodriguez'
+  author_url 'mailto:[email protected]'
+  url 'https://github.com/chrodriguez/redmine_omniauth_saml'
+  version '0.0.1'
+  requires_redmine :version_or_higher => '2.3.0'
+  settings :default => { 'enabled' => 'true', 'label_login_with_saml' => '' },
+           :partial => 'settings/omniauth_saml_settings'
 end
 
-# OmniAuth CAS
-setup_app = Proc.new do |env|
-  addr = Redmine::OmniAuthCAS.cas_server
-  cas_server = URI.parse(addr)
-  if cas_server
-    env['omniauth.strategy'].options.merge! :host => cas_server.host,
-                                            :port => cas_server.port,
-                                            :path => (cas_server.path != "/" ? cas_server.path : nil),
-                                            :ssl  => cas_server.scheme == "https"
-  end
-  validate = Redmine::OmniAuthCAS.cas_service_validate_url
-  if validate
-    env['omniauth.strategy'].options.merge! :service_validate_url => validate
-  end
-  # Dirty, not happy with it, but as long as I can't reproduce the bug
-  # users are blocked because of failing OpenSSL checks, while the cert
-  # is actually good, so...
-  # TODO: try to understand why cert verification fails
-  # Maybe https://github.com/intridea/omniauth/issues/404 can help
-  env['omniauth.strategy'].options.merge! :disable_ssl_verification => true
-end
-
-# tell Rails we use this middleware, with some default value just in case
-Rails.application.config.middleware.use OmniAuth::Builder do
-  #url = "http://nadine.application.ac.centre-serveur.i2/"
-  use OmniAuth::Strategies::CAS, :host => "localhost",
-                                 :port => "9292",
-                                 :ssl => false,
-                                 :setup => setup_app
-end

lib/redmine_omniauth_saml.rb

@@ -0,0 +1,31 @@
+module Redmine::OmniAuthSAML
+  class << self
+    def settings_hash
+#      Setting["plugin_redmine_omniauth_cas"]
+      {
+        'enabled' => true,
+        'replace_redmine_login' => true
+      }
+    end
+
+    def enabled?
+      settings_hash["enabled"]
+    end
+
+    def saml_server
+      settings_hash["saml_server"]
+    end
+
+    def saml_logout_url
+      settings['saml_logout_url']
+    end
+
+    def cas_service_validate_url
+      settings_hash["cas_service_validate_url"].presence || nil
+    end
+
+    def label_login_with_saml
+      settings_hash["label_login_with_saml"]
+    end
+  end
+end

lib/redmine_omniauth_saml/account_controller_patch.rb

@@ -0,0 +1,101 @@
+require_dependency 'account_controller'
+
+module Redmine::OmniAuthSAML
+  module AccountControllerPatch
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+      base.class_eval do
+        unloadable
+        alias_method_chain :login, :saml
+        alias_method_chain :logout, :saml
+      end
+    end
+
+    module InstanceMethods
+
+      def login_with_saml
+        #TODO: test 'replace_redmine_login' feature
+        if saml_settings["enabled"] && saml_settings["replace_redmine_login"]
+          redirect_to :controller => "account", :action => "login_with_saml_redirect", :provider => "saml", :origin => back_url
+        else
+          login_without_saml
+        end
+      end
+
+      def login_with_saml_redirect
+        render :text => "Not Found", :status => 404
+      end
+
+      def login_with_saml_callback
+        auth = request.env["omniauth.auth"]
+        #user = User.find_by_provider_and_uid(auth["provider"], auth["uid"])
+        user = User.find_by_login(auth["uid"]) || User.find_by_mail(auth["uid"])
+
+        # taken from original AccountController
+        # maybe it should be splitted in core
+        if user.blank?
+          logger.warn "Failed login for '#{auth[:uid]}' from #{request.remote_ip} at #{Time.now.utc}"
+          error = l(:notice_account_invalid_creditentials).sub(/\.$/, '')
+          if saml_settings["enabled"]
+            link = self.class.helpers.link_to(l(:text_logout_from_saml), saml_logout_url, :target => "_blank")
+            error << ". #{l(:text_full_logout_proposal, :value => link)}"
+          end
+          if saml_settings["replace_redmine_login"]
+            render_error({:message => error.html_safe, :status => 403})
+            return false
+          else
+            flash[:error] = error
+            redirect_to signin_url
+          end
+        else
+          user.update_attribute(:last_login_on, Time.now)
+          params[:back_url] = request.env["omniauth.origin"] unless request.env["omniauth.origin"].blank?
+          successful_authentication(user)
+          #cannot be set earlier, because sucessful_authentication() triggers reset_session()
+          session[:logged_in_with_saml] = true
+        end
+      end
+
+      def login_with_saml_failure
+        error = params[:message] || 'unknown'
+        error = 'error_saml_' + error
+        if saml_settings["replace_redmine_login"]
+          render_error({:message => error.to_sym, :status => 500})
+          return false
+        else
+          flash[:error] = l(error.to_sym)
+          redirect_to signin_url
+        end
+      end
+
+      def logout_with_saml
+        if saml_settings["enabled"] && session[:logged_in_with_saml]
+          logout_user
+          redirect_to saml_logout_url(home_url)
+        else
+          logout_without_saml
+        end
+      end
+
+      private
+      def saml_settings
+        Redmine::OmniAuthSAML.settings_hash
+      end
+
+      def saml_logout_url(service = nil)
+        return ''
+        logout_uri = saml_settings['saml_logout_url']
+        if !service.blank?
+          logout_uri += service
+        end
+        logout_uri
+      end
+
+    end
+  end
+end
+
+unless AccountController.included_modules.include? Redmine::OmniAuthSAML::AccountControllerPatch
+  AccountController.send(:include, Redmine::OmniAuthSAML::AccountControllerPatch)
+  AccountController.skip_before_filter :verify_authenticity_token, :only => [:login_with_saml_callback]
+end

lib/redmine_omniauth_saml/account_helper_patch.rb

@@ -0,0 +1,22 @@
+require_dependency 'account_helper'
+
+module Redmine::OmniAuthSAML
+  module AccountHelperPatch
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+      base.class_eval do
+        unloadable
+      end
+    end
+
+    module InstanceMethods
+      def label_for_saml_login
+        Redmine::OmniAuthCAS.label_login_with_saml.presence || l(:label_login_with_saml)
+      end
+    end
+  end
+end
+
+unless AccountHelper.included_modules.include? Redmine::OmniAuthSAML::AccountHelperPatch
+  AccountHelper.send(:include, Redmine::OmniAuthSAML::AccountHelperPatch)
+end

lib/redmine_omniauth_saml/hooks.rb

@@ -0,0 +1,5 @@
+module Redmine::OmniAuthSAML
+  class Hooks < Redmine::Hook::ViewListener
+    render_on :view_account_login_top, :partial => 'redmine_omniauth_saml/view_account_login_top'
+  end
+end