Adding SSO CILogon

.github/workflows/mysql.yml

@@ -73,4 +73,6 @@ jobs:
 
     # Run the time consuming integration tests (using Chrome headless browser)
     - name: 'Run Rspec Integration Tests'
-      run: bundle exec rspec spec/features/
+      run: |
+        bundle exec rspec spec/features/
+        bundle exec rspec spec/integration/

.github/workflows/postgres.yml

@@ -95,4 +95,6 @@ jobs:
 
     # Run the time consuming integration tests (using Chrome headless browser)
     - name: 'Run Integration Tests'
-      run: bundle exec rspec spec/features/
+      run: |
+        bundle exec rspec spec/features/
+        bundle exec rspec spec/integration/

CHANGELOG.md

@@ -4,7 +4,15 @@
 
 ### Added
 
+ - Add Rake Upgrade Task For `4.1.1+portage-4.2.0` [#892](https://github.com/portagenetwork/roadmap/pull/892)
+
+ - Test cases for CILogon(openid_connection) changes in Omniauth controller - [#869](https://github.com/portagenetwork/roadmap/pull/869/)
+
+ - Implemented openid_connection SSO with CILogon [#872](https://github.com/portagenetwork/roadmap/pull/872)
+
  - Create GET "/api/ca_dashboard/stats" endpoint to fetch Plan, User, and Org-related statistics [#852](https://github.com/portagenetwork/roadmap/pull/852)
+
+ - Added SSO changes updates to the About and Help pages. [#882](https://github.com/portagenetwork/roadmap/pull/882)
 
 ### Changed
 
@@ -18,6 +26,8 @@
 
  - Fix flaky tests / Optimize Checking Of `plan.title` Within `spec/features/plans/exports_spec.rb` [#871](https://github.com/portagenetwork/roadmap/pull/871)
 
+ - Patch to Put Back ORCID Linking Functionality [#891](https://github.com/portagenetwork/roadmap/pull/891)
+
 ## [4.1.1+portage-4.1.3] - 2024-08-08
 
 ### Changed

Gemfile

@@ -107,6 +107,9 @@ gem 'omniauth-orcid'
 #   https://nvd.nist.gov/vuln/detail/CVE-2015-9284
 gem 'omniauth-rails_csrf_protection'
 
+# This gem provides cilogon support with devise login authentication
+gem 'omniauth_openid_connect'
+
 # A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.
 gem 'jwt'
 

Gemfile.lock

@@ -75,13 +75,15 @@ GEM
       zeitwerk (~> 2.3)
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
+    aes_key_wrap (1.1.0)
     annotate (3.2.0)
       activerecord (>= 3.2, < 8.0)
       rake (>= 10.4, < 14.0)
     annotate_gem (0.0.14)
       bundler (>= 1.1)
     api-pagination (5.0.0)
     ast (2.4.2)
+    attr_required (1.0.2)
     autoprefixer-rails (10.4.16.0)
       execjs (~> 2)
     base64 (0.1.1)
@@ -91,6 +93,7 @@ GEM
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
     bigdecimal (3.1.8)
+    bindata (2.5.0)
     bindex (0.8.1)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
@@ -179,6 +182,8 @@ GEM
       fog-aws
     ecma-re-validator (0.4.0)
       regexp_parser (~> 2.2)
+    email_validator (2.2.4)
+      activemodel
     erubi (1.13.0)
     excon (0.104.0)
     execjs (2.9.1)
@@ -191,6 +196,8 @@ GEM
       i18n (>= 1.8.11, < 2)
     faraday (2.9.0)
       faraday-net_http (>= 2.0, < 3.2)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
     faraday-http-cache (2.5.1)
       faraday (>= 0.8)
     faraday-net_http (3.1.0)
@@ -257,6 +264,13 @@ GEM
     jsbundling-rails (1.3.0)
       railties (>= 6.0.0)
     json (2.7.2)
+    json-jwt (1.16.6)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     json_schemer (0.2.25)
       ecma-re-validator (~> 0.3)
       hana (~> 1.3)
@@ -362,7 +376,23 @@ GEM
       omniauth (~> 2.0)
     omniauth-shibboleth (1.3.0)
       omniauth (>= 1.0.0)
+    omniauth_openid_connect (0.7.1)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
     open4 (1.3.4)
+    openid_connect (2.3.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
     options (2.3.2)
     orm_adapter (0.5.0)
     parallel (1.24.0)
@@ -392,6 +422,13 @@ GEM
       rack (>= 1.0, < 4)
     rack-mini-profiler (3.3.1)
       rack (>= 1.2.0)
+    rack-oauth2 (2.2.1)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-protection (3.2.0)
       base64 (>= 0.1.0)
       rack (~> 2.2, >= 2.2.4)
@@ -520,6 +557,11 @@ GEM
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     strscan (3.1.0)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     syslog-logger (1.6.8)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
@@ -540,6 +582,9 @@ GEM
     uniform_notifier (1.16.0)
     uri (0.13.0)
     uri_template (0.7.0)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
     version_gem (1.1.3)
     warden (1.2.9)
       rack (>= 2.0.9)
@@ -548,6 +593,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.23.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -569,6 +618,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-21
+  arm64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
@@ -616,6 +666,7 @@ DEPENDENCIES
   omniauth-orcid
   omniauth-rails_csrf_protection
   omniauth-shibboleth
+  omniauth_openid_connect
   parallel
   pg
   progress_bar

app/controllers/orgs_controller.rb

@@ -151,6 +151,7 @@ def shibboleth_ds_passthru
 
     end
   end
+
   # rubocop:enable Metrics/AbcSize
 
   # POST /orgs  (via AJAX from Org Typeaheads ... see below for specific pages)

app/controllers/users/omniauth_callbacks_controller.rb

@@ -3,13 +3,62 @@
 module Users
   # Controller that handles callbacks from OmniAuth integrations (e.g. Shibboleth and ORCID)
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
-    ##
-    # Dynamically build a handler for each omniauth provider
-    # -------------------------------------------------------------
-    IdentifierScheme.for_authentication.each do |scheme|
-      define_method(scheme.name.downcase) do
-        handle_omniauth(scheme)
+    # This is for the OpenidConnect CILogon
+
+    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    def openid_connect
+      # First or create
+      auth = request.env['omniauth.auth']
+      user = User.from_omniauth(auth)
+
+      if auth.info.email.nil? && user.nil?
+        # If email is missing we need to request the user to register with DMP.
+        # User email can be missing if the usFFvate or trusted clients only we won't get the value.
+        # User email id is one of the mandatory field which is must required.
+        flash[:notice] = _('Something went wrong, Please try signing up here.')
+        redirect_to new_user_registration_path
+        return
       end
+
+      identifier_scheme = IdentifierScheme.find_by(name: auth.provider)
+
+      if current_user.nil?
+        # We need to register
+        if user.nil?
+          # Register and sign in
+          user = User.create_from_provider_data(auth)
+          user.identifiers << Identifier.create(identifier_scheme: identifier_scheme,
+                                                value: auth.uid,
+                                                attrs: auth,
+                                                identifiable: user)
+        end
+        sign_in_and_redirect user, event: :authentication
+      elsif user.nil?
+        # we need to link
+        current_user.identifiers << Identifier.create(identifier_scheme: identifier_scheme,
+                                                      value: auth.uid,
+                                                      attrs: auth,
+                                                      identifiable: current_user)
+
+        flash[:notice] = _('Linked successfully')
+
+        redirect_to root_path
+      elsif user.id != current_user.id
+        # If a user was found but does NOT match the current user then the identifier has
+        # already been attached to another account (likely the user has 2 accounts)
+        flash[:alert] = format(_('The current %{description} iD has been already linked to a user with email %{email}'),
+                               description: identifier_scheme.description, email: user.email)
+        redirect_to edit_user_registration_path
+      end
+    end
+    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
+
+    def orcid
+      handle_omniauth(IdentifierScheme.for_authentication.find_by(name: 'orcid'))
+    end
+
+    def shibboleth
+      handle_omniauth(IdentifierScheme.for_authentication.find_by(name: 'shibboleth'))
     end
 
     # Processes callbacks from an omniauth provider and directs the user to
@@ -35,6 +84,7 @@ def handle_omniauth(scheme)
         # If the uid didn't have a match in the system send them to register
         if user.nil?
           session["devise.#{scheme.name.downcase}_data"] = request.env['omniauth.auth']
+
           redirect_to new_user_registration_url
 
         # Otherwise sign them in
@@ -68,14 +118,15 @@ def handle_omniauth(scheme)
           # If a user was found but does NOT match the current user then the identifier has
           # already been attached to another account (likely the user has 2 accounts)
           # rubocop:disable Layout/LineLength
-          flash[:alert] = _("The current #{scheme.description} iD has been already linked to a user with email #{identifier.user.email}")
+          flash[:alert] = format(_('The current %{scheme_description} iD has been already linked to a user with email %{identifier_user_email}'), scheme_description: scheme.description, identifier_user_email: identifier.user.email)
           # rubocop:enable Layout/LineLength
         end
 
         # Redirect to the User Profile page
         redirect_to edit_user_registration_path
       end
     end
+
     # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
     # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
 

app/models/identifier_scheme.rb

@@ -62,10 +62,6 @@ class IdentifierScheme < ApplicationRecord
   #    { "ror": "12345" }
   # so we cannot allow spaces or non alpha characters!
   def name=(value)
-    super(value&.downcase&.gsub(/[^a-z]/, ''))
+    super(value&.downcase&.gsub(/[^a-z|_]/, ''))
   end
-
-  # ===========================
-  # = Instance Methods =
-  # ===========================
 end

app/models/user.rb

@@ -66,7 +66,7 @@ class User < ApplicationRecord
   #   :lockable, :timeoutable and :omniauthable
   devise :invitable, :database_authenticatable, :registerable, :recoverable,
          :rememberable, :trackable, :validatable, :omniauthable,
-         omniauth_providers: %i[shibboleth orcid]
+         omniauth_providers: %i[shibboleth orcid openid_connect]
 
   ##
   # User Notification Preferences
@@ -182,6 +182,26 @@ def self.from_omniauth(auth)
               .first&.identifiable
   end
 
+  ##
+  # Handle user creation from provider
+  # rubocop:disable Metrics/AbcSize
+  def self.create_from_provider_data(provider_data)
+    user = User.find_by email: provider_data.info.email
+
+    return user if user
+
+    User.create!(
+      firstname: provider_data.info&.first_name.present? ? provider_data.info.first_name : _('First name'),
+      surname: provider_data.info&.last_name.present? ? provider_data.info.last_name : _('Last name'),
+      email: provider_data.info.email,
+      # We don't know which organization to setup so we will use other
+      org: Org.find_by(is_other: true),
+      accept_terms: true,
+      password: Devise.friendly_token[0, 20]
+    )
+  end
+  # rubocop:enable Metrics/AbcSize
+
   def self.to_csv(users)
     User::AtCsv.new(users).to_csv
   end

app/views/devise/registrations/_external_identifier.html.erb

@@ -1,4 +1,5 @@
 <% if id.nil? || id.value == '' %>
+
     <% if scheme.name.downcase == 'orcid' %>
         <%= link_to  Rails.application.routes.url_helpers.send("user_orcid_omniauth_authorize_path"),
                      id: "connect-orcid-button",
@@ -88,4 +89,4 @@
                 data: {confirm: unlinkconf},
                 'aria-label': unlinktext,
                 'data-toggle': "tooltip" %>
-<% end %>
+<% end %>

app/views/devise/registrations/_external_openid_connect.html.erb

@@ -0,0 +1,21 @@
+<% if id.nil? || id.value == '' %>
+<%# If we dont have an id we need to link %>
+<i class="fas fa-user" title="<%= _('Institutional credentials') %>" aria-hidden="true"></i>
+        &nbsp;
+        <%= link_to _('Link your institutional credentials'),
+                    Rails.application.routes.url_helpers.send("user_openid_connect_omniauth_authorize_path"),
+                    title: _("Link your institutional credentials to access your account with them."),
+                    'data-toggle': "tooltip", method: :post %>
+<% else %>
+<%# If We do have and id we need to present the option to unlink %>
+<% unlinktext = _("Unlink your account from %{scheme_description}. You can link again at any time.") % { scheme_description: scheme.description} %>
+<% unlinkconf = _("Are you sure you want to unlink %{scheme_description} ID?") % { scheme_description: scheme.description } %>
+<%= id.value %>
+<%= link_to '<i class="fas fa-fw fa-circle-xmark" aria-hidden="true"></i>'.html_safe,
+                destroy_user_identifier_path(id),
+                method: :delete,
+                title: unlinktext,
+                data: {confirm: unlinkconf},
+                'aria-label': unlinktext,
+                'data-toggle': "tooltip" %>
+<% end %>