From b5db2765c3587207e34b40d96f5f919ecf1679d6 Mon Sep 17 00:00:00 2001
From: Kevin Beyrand <kevin@atnos.com>
Date: Tue, 17 Oct 2023 13:19:58 +0200
Subject: [PATCH 01/11] Implementing SSO

---
 Gemfile                                   |   3 +
 Gemfile.lock                              |   8 ++
 app/controllers/application_controller.rb |   8 +-
 app/controllers/saml_controller.rb        | 100 ++++++++++++++++++++++
 app/models/user.rb                        |   2 +-
 config/application.rb                     |  11 ++-
 config/environments/development.rb        |   8 +-
 config/initializers/devise.rb             |  19 +++-
 config/routes.rb                          |   6 ++
 9 files changed, 154 insertions(+), 11 deletions(-)
 create mode 100644 app/controllers/saml_controller.rb

diff --git a/Gemfile b/Gemfile
index fb3097bc..c8c36f4d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -64,3 +64,6 @@ end
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
+gem "ruby-saml", "~> 1.15"
+gem "devise_saml_authenticatable", "~> 1.9"
+
diff --git a/Gemfile.lock b/Gemfile.lock
index 9e388c3c..f803732d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -101,6 +101,9 @@ GEM
     devise_ldap_authenticatable (0.8.7)
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
+    devise_saml_authenticatable (1.9.1)
+      devise (> 2.0.0)
+      ruby-saml (~> 1.7)
     digest (3.1.0)
     doorkeeper (5.6.6)
       railties (>= 5)
@@ -234,6 +237,9 @@ GEM
       rack (>= 1.1)
       rubocop (>= 1.7.0, < 2.0)
     ruby-progressbar (1.11.0)
+    ruby-saml (1.16.0)
+      nokogiri (>= 1.13.10)
+      rexml
     ruby-vips (2.1.4)
       ffi (~> 1.12)
     ssrf_filter (1.0.8)
@@ -263,6 +269,7 @@ DEPENDENCIES
   devise-i18n
   devise-security
   devise_ldap_authenticatable
+  devise_saml_authenticatable (~> 1.9)
   doorkeeper
   doorkeeper-i18n
   dotenv-rails
@@ -276,6 +283,7 @@ DEPENDENCIES
   rails (~> 7.0.3)
   rails-i18n
   rubocop-rails
+  ruby-saml (~> 1.15)
   tzinfo-data
 
 RUBY VERSION
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 34c1ae63..6b5d88f9 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -10,8 +10,12 @@ class ApplicationController < ActionController::API
   end
 
   def info
-    client_app = Doorkeeper::Application.find_by(uid: params["client_id"], secret: params["client_secret"])
-    render json: { valid: client_app.present?, auth: ENV['ENABLE_AUTHENTICATION'].present? }
+    client_app = Doorkeeper::Application.find_by(uid: params['client_id'], secret: params['client_secret'])
+    render json: {
+      valid: client_app.present?,
+      auth: ENV['ENABLE_AUTHENTICATION'].present?,
+      sso_enabled: ENV['ENABLE_SSO'].present? ? ActiveModel::Type::Boolean.new.cast(ENV['ENABLE_SSO']) : false
+    }
   end
 
   protected
diff --git a/app/controllers/saml_controller.rb b/app/controllers/saml_controller.rb
new file mode 100644
index 00000000..ca8bb572
--- /dev/null
+++ b/app/controllers/saml_controller.rb
@@ -0,0 +1,100 @@
+class SamlController < Doorkeeper::TokensController
+  # skip_before_action :doorkeeper_authorize!
+
+  def metadata
+    meta = OneLogin::RubySaml::Metadata.new
+    render xml: meta.generate(settings, true)
+  end
+
+  def sso
+    request = OneLogin::RubySaml::Authrequest.new
+    redirect_to(request.create(settings))
+  end
+
+  def consume
+    response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings:)
+
+    if response.is_valid?
+      email = response.name_id
+      session[:nameid] = response.name_id
+      user = User.find_by_email(email)
+      unless user
+        password = [*'0'..'9', *'a'..'z', *'A'..'Z', *'!'..'?'].sample(16).join
+        user = User.create!(email:, password:, password_confirmation: password)
+        user.is_user = true
+        user.save
+      end
+      sign_in(:user, user)
+
+      doorkeeper_app = Doorkeeper::Application.first
+      access_token = Doorkeeper::AccessToken.find_or_create_for(
+        application: doorkeeper_app,
+        resource_owner: user.id,
+        scopes: Doorkeeper::OAuth::Scopes.from_array(%w[public])
+      )
+
+      # redirect_to  frontrnd
+      redirect_to "#{ENV['SSO_FRONTEND_REDIRECTION']}/#/?sso_token=#{access_token.token}"
+    else
+      logger.info "Response Invalid. Errors: #{response.errors}"
+      @errors = response.errors
+      redirect_to root_path
+    end
+  end
+
+  def logout
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    session[:transaction_id] = logout_request.uuid
+
+    logger.info "New SP SLO for User ID: '#{session[:nameid]}', Transaction ID: '#{session[:transaction_id]}'"
+
+    settings.name_identifier_value = session[:nameid] if settings.name_identifier_value.nil?
+
+    redirect_to(logout_request.create(settings))
+  end
+
+  # Handle the SLO response from the IdP
+  # GET /saml/slo
+  def slo
+    logout_response = if session.has_key? :transaction_id
+                        OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings,
+                                                               matches_request_id: session[:transaction_id])
+                      else
+                        OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
+                      end
+    logger.info "LogoutResponse is: #{logout_response}"
+
+    # Validate the SAML Logout Response
+    if !logout_response.validate
+      logger.error 'The SAML Logout Response is invalid'
+    else
+      # Actually log out this session
+      logger.info "SLO completed for '#{session[:nameid]}'"
+      session[:nameid] = nil
+      session[:transaction_id] = nil
+
+      redirect_to ENV['SSO_FRONTEND_REDIRECTION']
+    end
+  end
+
+  private
+
+  def settings
+    settings = OneLogin::RubySaml::Settings.new
+    url_base = "#{request.protocol}#{request.host_with_port}"
+
+    # settings.soft = true
+    settings.issuer = "#{url_base}/saml/metadata"
+    settings.assertion_consumer_service_url = "#{url_base}/saml/acs"
+    settings.assertion_consumer_logout_service_url = "#{url_base}/saml/slo"
+
+    # IdP section
+    settings.idp_entity_id                  = ENV['IDP_ENTITY_ID']
+    settings.idp_sso_target_url             = ENV['IDP_SSO_TARGET_URL']
+    settings.idp_slo_target_url             = ENV['IDP_SLO_TARGET_URL']
+    settings.idp_cert                       = ENV['IDP_CERT']
+    settings.name_identifier_format         = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+
+    settings
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index f640deb8..f6cc258e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -26,7 +26,7 @@ class User < ApplicationRecord
            dependent: :destroy
 
   def validate_login_uniqueness
-    errors.add(:login, :taken) if User.where(login: login).where.not(id: id).exists?
+    errors.add(:login, :taken) if User.where(login:).where.not(id:).exists?
   end
 
   def check_ldap_email
diff --git a/config/application.rb b/config/application.rb
index e8ce2cd8..f157ea32 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,4 +1,4 @@
-require_relative "boot"
+require_relative 'boot'
 
 require 'rails'
 # Pick the frameworks you want:
@@ -18,7 +18,6 @@
 # you've limited to :test, :development, or :production.
 Bundler.require(*Rails.groups)
 
-
 module PiaBack
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
@@ -38,7 +37,7 @@ class Application < Rails::Application
     config.api_only = true
 
     # set the default locale to French
-    config.i18n.default_locale = ENV.fetch("DEFAULT_LOCALE", :en)
+    config.i18n.default_locale = ENV.fetch('DEFAULT_LOCALE', :en)
     # if a locale isn't found fall back to this default locale
     config.i18n.fallbacks = true
     # set the possible locales to English and Brazilian-Portuguese
@@ -50,5 +49,11 @@ class Application < Rails::Application
     config.action_view.sanitized_allowed_tags = tags_allowed
     attributes_allowed = ENV['SANITIZED_ALLOWED_ATTRIBUTES'] ? ENV['SANITIZED_ALLOWED_ATTRIBUTES'].split(' ') : []
     config.action_view.sanitized_allowed_attributes = attributes_allowed
+
+    config.middleware.use ActionDispatch::Cookies
+    config.middleware.use ActionDispatch::Session::CookieStore
+
+    config.secret_key_base = Rails.application.credentials.secret_key_base
+    config.session_store :cookie_store, expire_after: 30.minutes
   end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 3d6b0736..638e796d 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,4 +1,4 @@
-require "active_support/core_ext/integer/time"
+require 'active_support/core_ext/integer/time'
 
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
@@ -19,10 +19,10 @@
 
   # Enable/disable caching. By default caching is disabled.
   # Run rails dev:cache to toggle caching.
-  if Rails.root.join("tmp/caching-dev.txt").exist?
+  if Rails.root.join('tmp/caching-dev.txt').exist?
     config.cache_store = :memory_store
     config.public_file_server.headers = {
-      "Cache-Control" => "public, max-age=#{2.days.to_i}"
+      'Cache-Control' => "public, max-age=#{2.days.to_i}"
     }
   else
     config.action_controller.perform_caching = false
@@ -53,7 +53,6 @@
   # Highlight code that triggered database queries in logs.
   config.active_record.verbose_query_logs = true
 
-
   # Raises error for missing translations.
   # config.i18n.raise_on_missing_translations = true
 
@@ -62,4 +61,5 @@
 
   # Uncomment if you wish to allow Action Cable access from any origin.
   # config.action_cable.disable_request_forgery_protection = true
+  config.hosts << ENV.fetch('RAILS_CONFIG_HOSTS', 'localhost:3000')
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 1bfe798a..f5fdb28e 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -58,7 +58,7 @@
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [:email]
+  config.authentication_keys = [:email]
 
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the
@@ -320,4 +320,21 @@
   # When set to false, does not sign a user in automatically after their password is
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
+
+  # # config.saml_default_user_key = :email # or whatever attribute you want to use as the user identifier
+  # config.saml_create_user = true # Automatically create users
+  # config.saml_update_user = true # Update user attributes after login
+  # config.saml_configure do |saml|
+  #   url_base = "#{ENV['SAML_URL_BASE']}"
+  #   saml.issuer = "#{url_base}/saml/metadata"
+  #   saml.assertion_consumer_service_url = "#{url_base}/saml/acs"
+  #   saml.assertion_consumer_logout_service_url = "#{url_base}/saml/logout"
+
+  #   # IdP section
+  #   saml.idp_entity_id                  = ENV['IDP_ENTITY_ID']
+  #   saml.idp_sso_target_url             = ENV['IDP_SSO_TARGET_URL']
+  #   saml.idp_slo_target_url             = ENV['IDP_SLO_TARGET_URL']
+  #   saml.idp_cert                       = ENV['IDP_CERT']
+  #   saml.name_identifier_format         = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+  # end
 end
diff --git a/config/routes.rb b/config/routes.rb
index 42dc5691..3324e396 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -35,4 +35,10 @@
   resources :knowledge_bases do
     resources :knowledges
   end
+
+  get '/saml/metadata', to: 'saml#metadata'
+  get '/saml/sso', to: 'saml#sso'
+  get '/saml/logout', to: 'saml#logout'
+  post '/saml/acs', to: 'saml#consume'
+  get '/saml/slo', to: 'saml#slo'
 end

From de86cd039f38a905666c6c7675f583a9639674e9 Mon Sep 17 00:00:00 2001
From: Bruno Perles <bruno@pipplet.com>
Date: Thu, 26 Oct 2023 12:48:06 +0200
Subject: [PATCH 02/11] Set default to rails 7.0 and fix deprecated Pundit
 include

---
 app/controllers/application_controller.rb     |   2 +-
 config/application.rb                         |   2 +-
 .../new_framework_defaults_5_2.rb             |  38 ------
 .../new_framework_defaults_6_0.rb             |  45 -------
 .../new_framework_defaults_7_0.rb             | 117 ------------------
 5 files changed, 2 insertions(+), 202 deletions(-)
 delete mode 100644 config/initializers/new_framework_defaults_5_2.rb
 delete mode 100644 config/initializers/new_framework_defaults_6_0.rb
 delete mode 100644 config/initializers/new_framework_defaults_7_0.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 6b5d88f9..156d92ab 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,7 +3,7 @@ class ApplicationController < ActionController::API
     render text: exception, status: :internal_server_error
   end
 
-  include Pundit if ENV['ENABLE_AUTHENTICATION'].present?
+  include Pundit::Authorization if ENV['ENABLE_AUTHENTICATION'].present?
   if ENV['ENABLE_AUTHENTICATION'].present?
     before_action :doorkeeper_authorize!,
                   except: %i[info check_uuid password_forgotten change_password]
diff --git a/config/application.rb b/config/application.rb
index f157ea32..ff23d355 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -21,7 +21,7 @@
 module PiaBack
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.0
+    config.load_defaults 7.0
     config.autoload_paths << "#{Rails.root}/lib"
     # Configuration for the application, engines, and railties goes here.
     #
diff --git a/config/initializers/new_framework_defaults_5_2.rb b/config/initializers/new_framework_defaults_5_2.rb
deleted file mode 100644
index c383d072..00000000
--- a/config/initializers/new_framework_defaults_5_2.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file contains migration options to ease your Rails 5.2 upgrade.
-#
-# Once upgraded flip defaults one by one to migrate to the new default.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-
-# Make Active Record use stable #cache_key alongside new #cache_version method.
-# This is needed for recyclable cache keys.
-# Rails.application.config.active_record.cache_versioning = true
-
-# Use AES-256-GCM authenticated encryption for encrypted cookies.
-# Also, embed cookie expiry in signed or encrypted cookies for increased security.
-#
-# This option is not backwards compatible with earlier Rails versions.
-# It's best enabled when your entire app is migrated and stable on 5.2.
-#
-# Existing cookies will be converted on read then written with the new scheme.
-# Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true
-
-# Use AES-256-GCM authenticated encryption as default cipher for encrypting messages
-# instead of AES-256-CBC, when use_authenticated_message_encryption is set to true.
-# Rails.application.config.active_support.use_authenticated_message_encryption = true
-
-# Add default protection from forgery to ActionController::Base instead of in
-# ApplicationController.
-# Rails.application.config.action_controller.default_protect_from_forgery = true
-
-# Store boolean values are in sqlite3 databases as 1 and 0 instead of 't' and
-# 'f' after migrating old data.
-# Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
-
-# Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
-# Rails.application.config.active_support.use_sha1_digests = true
-
-# Make `form_with` generate id attributes for any generated HTML tags.
-# Rails.application.config.action_view.form_with_generates_ids = true
diff --git a/config/initializers/new_framework_defaults_6_0.rb b/config/initializers/new_framework_defaults_6_0.rb
deleted file mode 100644
index 92240ef5..00000000
--- a/config/initializers/new_framework_defaults_6_0.rb
+++ /dev/null
@@ -1,45 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file contains migration options to ease your Rails 6.0 upgrade.
-#
-# Once upgraded flip defaults one by one to migrate to the new default.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-
-# Don't force requests from old versions of IE to be UTF-8 encoded.
-# Rails.application.config.action_view.default_enforce_utf8 = false
-
-# Embed purpose and expiry metadata inside signed and encrypted
-# cookies for increased security.
-#
-# This option is not backwards compatible with earlier Rails versions.
-# It's best enabled when your entire app is migrated and stable on 6.0.
-# Rails.application.config.action_dispatch.use_cookies_with_metadata = true
-
-# Change the return value of `ActionDispatch::Response#content_type` to Content-Type header without modification.
-# Rails.application.config.action_dispatch.return_only_media_type_on_content_type = false
-
-# Return false instead of self when enqueuing is aborted from a callback.
-# Rails.application.config.active_job.return_false_on_aborted_enqueue = true
-
-# Send Active Storage analysis and purge jobs to dedicated queues.
-# Rails.application.config.active_storage.queues.analysis = :active_storage_analysis
-# Rails.application.config.active_storage.queues.purge    = :active_storage_purge
-
-# When assigning to a collection of attachments declared via `has_many_attached`, replace existing
-# attachments instead of appending. Use #attach to add new attachments without replacing existing ones.
-# Rails.application.config.active_storage.replace_on_assign_to_many = true
-
-# Use ActionMailer::MailDeliveryJob for sending parameterized and normal mail.
-#
-# The default delivery jobs (ActionMailer::Parameterized::DeliveryJob, ActionMailer::DeliveryJob),
-# will be removed in Rails 6.1. This setting is not backwards compatible with earlier Rails versions.
-# If you send mail in the background, job workers need to have a copy of
-# MailDeliveryJob to ensure all delivery jobs are processed properly.
-# Make sure your entire app is migrated and stable on 6.0 before using this setting.
-# Rails.application.config.action_mailer.delivery_job = "ActionMailer::MailDeliveryJob"
-
-# Enable the same cache key to be reused when the object being cached of type
-# `ActiveRecord::Relation` changes by moving the volatile information (max updated at and count)
-# of the relation's cache key into the cache version to support recycling cache key.
-# Rails.application.config.active_record.collection_cache_versioning = true
diff --git a/config/initializers/new_framework_defaults_7_0.rb b/config/initializers/new_framework_defaults_7_0.rb
deleted file mode 100644
index a579326e..00000000
--- a/config/initializers/new_framework_defaults_7_0.rb
+++ /dev/null
@@ -1,117 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file eases your Rails 7.0 framework defaults upgrade.
-#
-# Uncomment each configuration one by one to switch to the new default.
-# Once your application is ready to run with all new defaults, you can remove
-# this file and set the `config.load_defaults` to `7.0`.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
-
-# `button_to` view helper will render `<button>` element, regardless of whether
-# or not the content is passed as the first argument or as a block.
-# Rails.application.config.action_view.button_to_generates_button_tag = true
-
-# `stylesheet_link_tag` view helper will not render the media attribute by default.
-# Rails.application.config.action_view.apply_stylesheet_media_default = false
-
-# Change the digest class for the key generators to `OpenSSL::Digest::SHA256`.
-# Changing this default means invalidate all encrypted messages generated by
-# your application and, all the encrypted cookies. Only change this after you
-# rotated all the messages using the key rotator.
-#
-# See upgrading guide for more information on how to build a rotator.
-# https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html
-# Rails.application.config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
-
-# Change the digest class for ActiveSupport::Digest.
-# Changing this default means that for example Etags change and
-# various cache keys leading to cache invalidation.
-# Rails.application.config.active_support.hash_digest_class = OpenSSL::Digest::SHA256
-
-# Don't override ActiveSupport::TimeWithZone.name and use the default Ruby
-# implementation.
-# Rails.application.config.active_support.remove_deprecated_time_with_zone_name = true
-
-# Change the format of the cache entry.
-# Changing this default means that all new cache entries added to the cache
-# will have a different format that is not supported by Rails 6.1 applications.
-# Only change this value after your application is fully deployed to Rails 7.0
-# and you have no plans to rollback.
-# Rails.application.config.active_support.cache_format_version = 7.0
-
-# Calls `Rails.application.executor.wrap` around test cases.
-# This makes test cases behave closer to an actual request or job.
-# Several features that are normally disabled in test, such as Active Record query cache
-# and asynchronous queries will then be enabled.
-# Rails.application.config.active_support.executor_around_test_case = true
-
-# Define the isolation level of most of Rails internal state.
-# If you use a fiber based server or job processor, you should set it to `:fiber`.
-# Otherwise the default of `:thread` if preferable.
-# Rails.application.config.active_support.isolation_level = :thread
-
-# Set both the `:open_timeout` and `:read_timeout` values for `:smtp` delivery method.
-# Rails.application.config.action_mailer.smtp_timeout = 5
-
-# The ActiveStorage video previewer will now use scene change detection to generate
-# better preview images (rather than the previous default of using the first frame
-# of the video).
-# Rails.application.config.active_storage.video_preview_arguments =
-#   "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2"
-
-# Automatically infer `inverse_of` for associations with a scope.
-# Rails.application.config.active_record.automatic_scope_inversing = true
-
-# Raise when running tests if fixtures contained foreign key violations
-# Rails.application.config.active_record.verify_foreign_keys_for_fixtures = true
-
-# Disable partial inserts.
-# This default means that all columns will be referenced in INSERT queries
-# regardless of whether they have a default or not.
-# Rails.application.config.active_record.partial_inserts = false
-#
-# Protect from open redirect attacks in `redirect_back_or_to` and `redirect_to`.
-# Rails.application.config.action_controller.raise_on_open_redirects = true
-
-# Change the variant processor for Active Storage.
-# Changing this default means updating all places in your code that
-# generate variants to use image processing macros and ruby-vips
-# operations. See the upgrading guide for detail on the changes required.
-# The `:mini_magick` option is not deprecated; it's fine to keep using it.
-# Rails.application.config.active_storage.variant_processor = :vips
-
-# If you're upgrading and haven't set `cookies_serializer` previously, your cookie serializer
-# was `:marshal`. Convert all cookies to JSON, using the `:hybrid` formatter.
-#
-# If you're confident all your cookies are JSON formatted, you can switch to the `:json` formatter.
-#
-# Continue to use `:marshal` for backward-compatibility with old cookies.
-#
-# If you have configured the serializer elsewhere, you can remove this.
-#
-# See https://guides.rubyonrails.org/action_controller_overview.html#cookies for more information.
-# Rails.application.config.action_dispatch.cookies_serializer = :hybrid
-
-# Enable parameter wrapping for JSON.
-# Previously this was set in an initializer. It's fine to keep using that initializer if you've customized it.
-# To disable parameter wrapping entirely, set this config to `false`.
-# Rails.application.config.action_controller.wrap_parameters_by_default = true
-
-# Specifies whether generated namespaced UUIDs follow the RFC 4122 standard for namespace IDs provided as a
-# `String` to `Digest::UUID.uuid_v3` or `Digest::UUID.uuid_v5` method calls.
-#
-# See https://guides.rubyonrails.org/configuring.html#config-active-support-use-rfc4122-namespaced-uuids for
-# more information.
-# Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
-
-# Change the default headers to disable browsers' flawed legacy XSS protection.
-# Rails.application.config.action_dispatch.default_headers = {
-#   "X-Frame-Options" => "SAMEORIGIN",
-#   "X-XSS-Protection" => "0",
-#   "X-Content-Type-Options" => "nosniff",
-#   "X-Download-Options" => "noopen",
-#   "X-Permitted-Cross-Domain-Policies" => "none",
-#   "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }

From 36271642f44ba95edf2397a8bd20443e4f4cc725 Mon Sep 17 00:00:00 2001
From: Bruno Perles <bruno@pipplet.com>
Date: Thu, 26 Oct 2023 13:05:52 +0200
Subject: [PATCH 03/11] Add redis session store

---
 Gemfile                              |  3 ++-
 Gemfile.lock                         | 16 ++++++++++++++++
 config/application.rb                |  4 ----
 config/initializers/session_store.rb | 12 ++++++++++++
 4 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 config/initializers/session_store.rb

diff --git a/Gemfile b/Gemfile
index c8c36f4d..143d1c47 100644
--- a/Gemfile
+++ b/Gemfile
@@ -66,4 +66,5 @@ end
 gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
 gem "ruby-saml", "~> 1.15"
 gem "devise_saml_authenticatable", "~> 1.9"
-
+gem "redis", "~> 5.0" # Redis client for Ruby
+gem "redis-actionpack", "~> 5.3" # Redis session store for ActionPack
diff --git a/Gemfile.lock b/Gemfile.lock
index f803732d..a832c8ee 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -87,6 +87,7 @@ GEM
       mime-types (~> 3.0)
       mimemagic (~> 0.3.2)
     concurrent-ruby (1.2.2)
+    connection_pool (2.4.1)
     crass (1.0.6)
     devise (4.8.1)
       bcrypt (~> 3.0)
@@ -215,6 +216,19 @@ GEM
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
     rake (13.0.6)
+    redis (5.0.8)
+      redis-client (>= 0.17.0)
+    redis-actionpack (5.3.0)
+      actionpack (>= 5, < 8)
+      redis-rack (>= 2.1.0, < 3)
+      redis-store (>= 1.1.0, < 2)
+    redis-client (0.18.0)
+      connection_pool
+    redis-rack (2.1.4)
+      rack (>= 2.0.8, < 3)
+      redis-store (>= 1.2, < 2)
+    redis-store (1.10.0)
+      redis (>= 4, < 6)
     regexp_parser (2.5.0)
     responders (3.0.1)
       actionpack (>= 5.0)
@@ -282,6 +296,8 @@ DEPENDENCIES
   rack-cors
   rails (~> 7.0.3)
   rails-i18n
+  redis (~> 5.0)
+  redis-actionpack (~> 5.3)
   rubocop-rails
   ruby-saml (~> 1.15)
   tzinfo-data
diff --git a/config/application.rb b/config/application.rb
index ff23d355..7e68df5c 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -50,10 +50,6 @@ class Application < Rails::Application
     attributes_allowed = ENV['SANITIZED_ALLOWED_ATTRIBUTES'] ? ENV['SANITIZED_ALLOWED_ATTRIBUTES'].split(' ') : []
     config.action_view.sanitized_allowed_attributes = attributes_allowed
 
-    config.middleware.use ActionDispatch::Cookies
-    config.middleware.use ActionDispatch::Session::CookieStore
-
     config.secret_key_base = Rails.application.credentials.secret_key_base
-    config.session_store :cookie_store, expire_after: 30.minutes
   end
 end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
new file mode 100644
index 00000000..83ce548f
--- /dev/null
+++ b/config/initializers/session_store.rb
@@ -0,0 +1,12 @@
+Rails.application.config.session_store :redis_store,
+                                       url: "#{ENV.fetch('REDIS_URL', 'redis://127.0.0.1:6379')}/0/session",
+                                       expire_after: 30.days,
+                                       key: "_piaback_session_#{Rails.env}",
+                                       domain: ENV.fetch("DOMAIN_NAME", "localhost"),
+                                       threadsafe: true,
+                                       secure: Rails.env.production?,
+                                       same_site: :lax,
+                                       httponly: true
+
+Rails.application.config.middleware.use ActionDispatch::Cookies
+Rails.application.config.middleware.use Rails.application.config.session_store, Rails.application.config.session_options

From 4868abeaf33cd97801368b7d05b4ba77d7cf6557 Mon Sep 17 00:00:00 2001
From: Bruno Perles <bruno@pipplet.com>
Date: Thu, 26 Oct 2023 13:06:06 +0200
Subject: [PATCH 04/11] fix queries N+1

---
 app/controllers/pias_controller.rb | 3 ++-
 app/policies/pia_policy.rb         | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/pias_controller.rb b/app/controllers/pias_controller.rb
index 055c2f6c..41d49320 100644
--- a/app/controllers/pias_controller.rb
+++ b/app/controllers/pias_controller.rb
@@ -18,7 +18,8 @@ def index
     res = []
     # check if user is technical else his pias
     pias = if ENV['ENABLE_AUTHENTICATION'].blank? || current_user.is_technical_admin
-             Pia.all
+             Pia.eager_load(:user_pias)
+                .all
            else
              policy_scope(Pia)
            end
diff --git a/app/policies/pia_policy.rb b/app/policies/pia_policy.rb
index 478e6060..5ec2d552 100644
--- a/app/policies/pia_policy.rb
+++ b/app/policies/pia_policy.rb
@@ -43,9 +43,11 @@ def initialize(user, scope)
 
     def resolve
       if user.present? && user.is_functional_admin?
-        scope.all
+        scope.eager_load(:user_pias)
+             .all
       else
-        scope.joins(:user_pias).merge(UserPia.where(user_id: user.id))
+        scope.eager_load(:user_pias)
+             .merge(UserPia.where(user_id: user.id))
       end
     end
   end

From 4f1f7126f28ecc8d4e939861ebf022525eb7c3d8 Mon Sep 17 00:00:00 2001
From: Kevin Beyrand <kevin@atnos.com>
Date: Tue, 7 Nov 2023 12:45:48 +0100
Subject: [PATCH 05/11] Update saml_controller.rb

---
 app/controllers/saml_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/saml_controller.rb b/app/controllers/saml_controller.rb
index ca8bb572..2437706a 100644
--- a/app/controllers/saml_controller.rb
+++ b/app/controllers/saml_controller.rb
@@ -17,7 +17,7 @@ def consume
     if response.is_valid?
       email = response.name_id
       session[:nameid] = response.name_id
-      user = User.find_by_email(email)
+      user = User.find_by("LOWER(email) = ?", email.strip.downcase)
       unless user
         password = [*'0'..'9', *'a'..'z', *'A'..'Z', *'!'..'?'].sample(16).join
         user = User.create!(email:, password:, password_confirmation: password)

From c8493bbed456dc601dc83afada6a85ff14a61bf4 Mon Sep 17 00:00:00 2001
From: Bruno Perles <bruno@atnos.com>
Date: Tue, 14 Nov 2023 12:51:57 +0000
Subject: [PATCH 06/11] Add missing allow host and unlock_access

---
 app/controllers/saml_controller.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/saml_controller.rb b/app/controllers/saml_controller.rb
index 2437706a..6ac3074a 100644
--- a/app/controllers/saml_controller.rb
+++ b/app/controllers/saml_controller.rb
@@ -8,7 +8,7 @@ def metadata
 
   def sso
     request = OneLogin::RubySaml::Authrequest.new
-    redirect_to(request.create(settings))
+    redirect_to(request.create(settings), allow_other_host: true)
   end
 
   def consume
@@ -23,6 +23,7 @@ def consume
         user = User.create!(email:, password:, password_confirmation: password)
         user.is_user = true
         user.save
+        user.unlock_access!
       end
       sign_in(:user, user)
 
@@ -34,7 +35,7 @@ def consume
       )
 
       # redirect_to  frontrnd
-      redirect_to "#{ENV['SSO_FRONTEND_REDIRECTION']}/#/?sso_token=#{access_token.token}"
+      redirect_to "#{ENV['SSO_FRONTEND_REDIRECTION']}/#/?sso_token=#{access_token.token}", allow_other_host: true
     else
       logger.info "Response Invalid. Errors: #{response.errors}"
       @errors = response.errors
@@ -50,7 +51,7 @@ def logout
 
     settings.name_identifier_value = session[:nameid] if settings.name_identifier_value.nil?
 
-    redirect_to(logout_request.create(settings))
+    redirect_to(logout_request.create(settings), allow_other_host: true)
   end
 
   # Handle the SLO response from the IdP
@@ -73,7 +74,7 @@ def slo
       session[:nameid] = nil
       session[:transaction_id] = nil
 
-      redirect_to ENV['SSO_FRONTEND_REDIRECTION']
+      redirect_to ENV['SSO_FRONTEND_REDIRECTION'], allow_other_host: true
     end
   end
 

From f27b40b5e2aa595315193508887fd89b2eec3317 Mon Sep 17 00:00:00 2001
From: Bruno Perles <bruno@atnos.com>
Date: Tue, 14 Nov 2023 13:04:31 +0000
Subject: [PATCH 07/11] Missing condition

---
 app/controllers/saml_controller.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/saml_controller.rb b/app/controllers/saml_controller.rb
index 6ac3074a..d5ae5add 100644
--- a/app/controllers/saml_controller.rb
+++ b/app/controllers/saml_controller.rb
@@ -18,12 +18,14 @@ def consume
       email = response.name_id
       session[:nameid] = response.name_id
       user = User.find_by("LOWER(email) = ?", email.strip.downcase)
-      unless user
+      if user
+        user.unlock_access!
+      else
         password = [*'0'..'9', *'a'..'z', *'A'..'Z', *'!'..'?'].sample(16).join
         user = User.create!(email:, password:, password_confirmation: password)
         user.is_user = true
-        user.save
         user.unlock_access!
+        user.save
       end
       sign_in(:user, user)
 

From dc5d45a33d6e9cb3b60698281957ffe9e4c04306 Mon Sep 17 00:00:00 2001
From: Sylvain Pastor <sylvain@MBPdeatnosadmin.lan>
Date: Tue, 28 Nov 2023 17:08:06 +0100
Subject: [PATCH 08/11] doc: readme update, prepare sso doc

---
 README.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/README.md b/README.md
index 7f3c6c0c..22a49769 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,25 @@ ldap_admin_user: [Fill it with the LDAP admin user]
 ldap_admin_user_password: [Fill it with admin user password]
 ```
 
+### Enable SSO mode (optional)
+This following information are required to enable SSO mode, make sure you have them all:
+- "entity_id (issuer)"
+- "sso_service_url (idp_sso_target_url)"
+- "idp_cert (idp_cert_fingerprint)"
+
+set those informations inside your `.env` file.
+
+```
+ENABLE_SSO=true
+IDP_ENTITY_ID=[ENTITY_ID_VALUE]
+IDP_SSO_TARGET_URL=[SSO_TARGET_URL]
+IDP_SLO_TARGET_URL=[SSO_TARGET_URL]
+IDP_CERT=[SSO_CERTIFICATE_VALUE]
+SSO_FRONTEND_REDIRECTION=[FRONT_END_URL]
+```
+
+Restart your pia-back rails app
+
 ## SMTP configuration
 Set up the environment credentials variables using `EDITOR='nano' rails credentials:edit` :
 

From 90d4a0384eca9ef54499966d441143025fd4ca2d Mon Sep 17 00:00:00 2001
From: Kevin Beyrand <kevin@atnos.com>
Date: Mon, 4 Dec 2023 16:24:37 +0100
Subject: [PATCH 09/11] Update README.md

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 22a49769..5ed1e0a5 100644
--- a/README.md
+++ b/README.md
@@ -135,14 +135,14 @@ set those informations inside your `.env` file.
 
 ```
 ENABLE_SSO=true
-IDP_ENTITY_ID=[ENTITY_ID_VALUE]
-IDP_SSO_TARGET_URL=[SSO_TARGET_URL]
-IDP_SLO_TARGET_URL=[SSO_TARGET_URL]
-IDP_CERT=[SSO_CERTIFICATE_VALUE]
+IDP_ENTITY_ID=[ENTITY ID VALUE]
+IDP_SSO_TARGET_URL=[SSO TARGET URL]
+IDP_SLO_TARGET_URL=[SSO TARGET URL] (same URL than IDP_SSO_TARGET_URL)
+IDP_CERT=[SSO CERTIFICATE VALUE]
 SSO_FRONTEND_REDIRECTION=[FRONT_END_URL]
 ```
 
-Restart your pia-back rails app
+Restart your pia-back rails app.
 
 ## SMTP configuration
 Set up the environment credentials variables using `EDITOR='nano' rails credentials:edit` :

From 423a84a014d0a507a859f8a607193c722b487eb2 Mon Sep 17 00:00:00 2001
From: Kevin Beyrand <kevin@atnos.com>
Date: Mon, 4 Dec 2023 16:27:24 +0100
Subject: [PATCH 10/11] Update README.md

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 5ed1e0a5..c1c5296b 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,13 @@ SSO_FRONTEND_REDIRECTION=[FRONT_END_URL]
 
 Restart your pia-back rails app.
 
+You also need to configure your SAML SSO:
+- "Identifier (Entity ID)" : https://[PIA_BACK_URL]/saml/metadata
+- "Reply URL (Assertion Consumer Service URL / ACS)" : https://[PIA_BACK_URL]/saml/acs
+- "Logout URL (Single Logout URL / SLO)" : https://[PIA_BACK_URL]/saml/slo
+
+After this, you should be able to use the SSO authentication button on the homepage of the PIA tool.
+
 ## SMTP configuration
 Set up the environment credentials variables using `EDITOR='nano' rails credentials:edit` :
 

From 902f302d3362b5d5a9cba81278b24bee69953260 Mon Sep 17 00:00:00 2001
From: syl-p <sylvain@atnos.com>
Date: Wed, 21 Feb 2024 14:59:50 +0100
Subject: [PATCH 11/11] fix: bundle for x86_64

---
 Gemfile.lock | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Gemfile.lock b/Gemfile.lock
index d65dfe5c..ac2d90cc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -167,6 +167,8 @@ GEM
     nio4r (2.7.0)
     nokogiri (1.16.2-arm64-darwin)
       racc (~> 1.4)
+    nokogiri (1.16.2-x86_64-linux)
+      racc (~> 1.4)
     orm_adapter (0.5.0)
     parallel (1.24.0)
     parser (3.3.0.5)
@@ -293,6 +295,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-23
+  x86_64-linux
 
 DEPENDENCIES
   bcrypt (~> 3.1.13)