trabajo-afectivo/app/controllers/application_controller/authenticates.rb

175 lines
5.8 KiB
Ruby

# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
module ApplicationController::Authenticates
extend ActiveSupport::Concern
private
def permission_check(key)
ActiveSupport::Deprecation.warn("Method 'permission_check' is deprecated. Use Pundit policy and `authorize!` instead.")
if @_token_auth
user = Token.check(
action: 'api',
name: @_token_auth,
permission: key,
)
return false if user
raise Exceptions::Forbidden, 'Not authorized (token)!'
end
return false if current_user&.permissions?(key)
raise Exceptions::Forbidden, 'Not authorized (user)!'
end
def authentication_check(auth_param = {})
user = authentication_check_only(auth_param)
# check if basic_auth fallback is possible
if auth_param[:basic_auth_promt] && !user
request_http_basic_authentication
return false
end
# return auth not ok
if !user
raise Exceptions::Forbidden, 'Authentication required'
end
# return auth ok
true
end
def authentication_check_only(auth_param = {})
if Rails.env.test? && ENV['FAKE_SELENIUM_LOGIN_USER_ID'].present? && session[:user_id].blank?
session[:user_id] = ENV['FAKE_SELENIUM_LOGIN_USER_ID'].to_i
end
# logger.debug 'authentication_check'
# logger.debug params.inspect
# logger.debug session.inspect
# logger.debug cookies.inspect
authentication_errors = []
# already logged in, early exit
if session.id && session[:user_id]
logger.debug { 'session based auth check' }
user = User.lookup(id: session[:user_id])
return authentication_check_prerequesits(user, 'session', auth_param) if user
authentication_errors.push("Can't find User with ID #{session[:user_id]} from Session")
end
# check http basic based authentication
authenticate_with_http_basic do |username, password|
request.session_options[:skip] = true # do not send a session cookie
logger.debug { "http basic auth check '#{username}'" }
if Setting.get('api_password_access') == false
raise Exceptions::Forbidden, 'API password access disabled!'
end
auth = Auth.new(username, password)
return authentication_check_prerequesits(auth.user, 'basic_auth', auth_param) if auth.valid?
authentication_errors.push('Invalid BasicAuth credentials')
end
# check http token based authentication
authenticate_with_http_token do |token_string, _options|
logger.debug { "http token auth check '#{token_string}'" }
request.session_options[:skip] = true # do not send a session cookie
if Setting.get('api_token_access') == false
raise Exceptions::Forbidden, 'API token access disabled!'
end
user = Token.check(
action: 'api',
name: token_string,
inactive_user: true,
)
if user && auth_param[:permission]
ActiveSupport::Deprecation.warn("Paramter ':permission' is deprecated. Use Pundit policy and `authorize!` instead.")
user = Token.check(
action: 'api',
name: token_string,
permission: auth_param[:permission],
inactive_user: true,
)
raise Exceptions::NotAuthorized, 'Not authorized (token)!' if !user
end
if user
token = Token.find_by(name: token_string)
token.last_used_at = Time.zone.now
token.save!
if token.expires_at &&
Time.zone.today >= token.expires_at
raise Exceptions::NotAuthorized, 'Not authorized (token expired)!'
end
@_token = token # remember for Pundit authorization / permit!
end
@_token_auth = token_string # remember for permission_check
return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
authentication_errors.push("Can't find User for Token")
end
# check oauth2 token based authentication
token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
if token
request.session_options[:skip] = true # do not send a session cookie
logger.debug { "OAuth2 token auth check '#{token}'" }
access_token = Doorkeeper::AccessToken.by_token(token)
raise Exceptions::NotAuthorized, 'Invalid token!' if !access_token
# check expire
if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
raise Exceptions::NotAuthorized, 'OAuth2 token is expired!'
end
# if access_token.scopes.empty?
# raise Exceptions::NotAuthorized, 'OAuth2 scope missing for token!'
# end
user = User.find(access_token.resource_owner_id)
return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
authentication_errors.push("Can't find User with ID #{access_token.resource_owner_id} for OAuth2 token")
end
return false if authentication_errors.blank?
raise Exceptions::NotAuthorized, authentication_errors.join(', ')
end
def authentication_check_prerequesits(user, auth_type, auth_param)
raise Exceptions::Forbidden, 'Maintenance mode enabled!' if in_maintenance_mode?(user)
raise_unified_login_error if !user.active
if auth_param[:permission]
ActiveSupport::Deprecation.warn("Parameter ':permission' is deprecated. Use Pundit policy and `authorize!` instead.")
if !user.permissions?(auth_param[:permission])
raise Exceptions::Forbidden, 'Not authorized (user)!'
end
end
current_user_set(user, auth_type)
user_device_log(user, auth_type)
logger.debug { "#{auth_type} for '#{user.login}'" }
user
end
def raise_unified_login_error
raise Exceptions::NotAuthorized, 'Login failed. Have you double-checked your credentials and completed the email verification step?'
end
end