Added feature to choose whehter to create or not users if they don't …

…exist (#49)

* Added Support for login selector (external or sso); Added pt translation;

* Added feature to choose whehter to create or not users if they don't exist

* Added feature to avoid direct login from selected auth sources

* Added two important conditions for the feature to run

Co-authored-by: Tiago Gomes <[email protected]>

app/models/oic_session.rb

@@ -32,6 +32,14 @@ def self.login_selector?
     client_config['login_selector']
   end
 
+  def self.create_user_if_not_exists?
+    client_config['create_user_if_not_exists']
+  end
+
+  def self.disallowed_auth_sources_login
+    client_config['disallowed_auth_sources_login'].to_a
+  end
+
   def self.openid_configuration_url
     client_config['openid_connect_server_url'] + '/.well-known/openid-configuration'
   end

app/views/settings/_redmine_openid_connect_settings.html.erb

@@ -49,3 +49,13 @@
   <label><%= t('config.login_selector') %></label>
     <%= check_box_tag 'settings[login_selector]', false, @settings['login_selector'] %>
 </p>
+
+<p>
+  <label><%= t('config.create_user_if_not_exists') %></label>
+    <%= check_box_tag 'settings[create_user_if_not_exists]', true, @settings['create_user_if_not_exists'] %>
+</p>
+
+<p>
+  <label><%= t('config.disallowed_auth_sources_login') %></label>
+  <%= select_tag 'settings[disallowed_auth_sources_login]', options_for_select(AuthSource.all.map { |a| [a.name, a.id] }, OicSession.disallowed_auth_sources_login), :multiple => true, :include_blank => true, :size => 5 %>
+</p>

config/locales/de.yml

@@ -10,7 +10,10 @@ de:
     group: Rolle "darf einloggen" (leer lassen, falls jeder authentifizierte User einloggen darf)
     admin_group: Rolle "Administratoren" (User mit dieser Rolle werden als Administrator behandelt)
     dynamic_config_expiry: "Intervall für Aktualisierung der OpenID-Einstellungen (Default: 1 day)"
+    create_user_if_not_exists: "Benutzer erstellen, falls nicht vorhanden"
+    disallowed_auth_sources_login: "Benutzer aus den folgenden Authentifizierungsquellen müssen sich mit SSO anmelden"
   oic_logout_success: 'Sie wurden ausgeloggt. <a href="%{value}">Klicken Sie hier, um sich erneut einzuloggen</a>.'
   oic_cannot_create_user: "Der Benutzer %{value} konnte nicht angelegt werden: "
   oic_try_another_account: "<a href='%{value}'>Mit einem anderen Account einloggen.</a>"
+  oic_cannot_login_user: "Benutzer %{value} konnte sich nicht anmelden: Bitte melden Sie sich mit der SSO-Option an"
   button_login_sso: Melden Sie sich mit SSO an

config/locales/en.yml

@@ -11,7 +11,10 @@ en:
     group: Authorized group (blank if all users are authorized)
     admin_group: Admins group (members of this group are treated as admin)
     dynamic_config_expiry: How often to retrieve openid configuration (default 1 day)
+    create_user_if_not_exists: Create user if not exists
+    disallowed_auth_sources_login: Users from the following auth sources will be required to login with SSO
   oic_logout_success: 'You have been logged out. <a href="%{value}">Click here to log in again</a>.'
-  oic_cannot_create_user: "Could no create the user %{value}: "
+  oic_cannot_create_user: "Could not create the user %{value}: "
   oic_try_another_account: "<a href='%{value}'>Try logging in with another account</a>"
+  oic_cannot_login_user: "User %{value} could not login: Please login using the SSO option"
   button_login_sso: Login with SSO

config/locales/pt.yml

@@ -11,7 +11,10 @@ pt:
     group: "Grupo autorizado (vazio se todos os utilizadores são autorizados)"
     admin_group: "Grupo de Administradores (membros deste grupo são tratados como administradores)"
     dynamic_config_expiry: "Com que frequência obter configuração do openid (padrão 1 dia)"
+    create_user_if_not_exists: "Criar utilizador caso não exista"
+    disallowed_auth_sources_login: "Utilizadores das fontes selecionadas deverão fazer login SSO"
   oic_logout_success: 'Saiu com sucesso. <a href="%{value}">Clique aqui para voltar a entrar</a>.'
   oic_cannot_create_user: "Não foi possível criar o utilizador %{value}: "
   oic_try_another_account: "<a href='%{value}'>Tente entrar com uma conta diferente</a>"
+  oic_cannot_login_user: "Não foi possível autenticar o utilizador %{value}: Por favor use o login SSO"
   button_login_sso: Entrar com SSO

lib/redmine_openid_connect/account_controller_patch.rb

@@ -91,6 +91,15 @@ def oic_local_login
         user = User.find_by_mail(user_info["email"])
 
         if user.nil?
+          if !OicSession.create_user_if_not_exists?
+            flash.now[:warning] ||= l(:oic_cannot_create_user, user_info["email"])
+
+            logger.warn "Could not create user #{user_info["email"]}, the system is not allowed to create new users through openid"
+            flash.now[:warning] += "The system is not allowed to create new users through openid"
+
+            return invalid_credentials
+          end
+
           user = User.new
 
           user.login = user_info["user_name"] || user_info["nickname"] || user_info["preferred_username"]
@@ -144,6 +153,16 @@ def oic_local_login
       end
     end
 
+    def password_authentication
+      user = User.find_by_login(params[:username])
+      if OicSession.enabled? and !user.nil? and !user.auth_source.nil? and OicSession.disallowed_auth_sources_login.map(&:to_i).include? user.auth_source.id
+        flash.now[:warning] ||= l(:oic_cannot_login_user, params[:username])
+        logger.warn "User #{params[:username]} cannot login because it was disallowed by the openid plugin configuration"
+      else
+        return super
+      end
+    end
+
     def invalid_credentials
       return super unless OicSession.enabled?