discourse/lib/single_sign_on.rb

# frozen_string_literal: true

class SingleSignOn

  class ParseError < RuntimeError; end

  ACCESSORS = %i{
    add_groups
    admin moderator
    avatar_force_update
    avatar_url
    bio
    card_background_url
    email
    external_id
    groups
    locale
    locale_force_update
    logout
    name
    nonce
    profile_background_url
    remove_groups
    require_activation
    return_sso_url
    suppress_welcome_message
    title
    username
    website
    location
  }

  FIXNUMS = []

  BOOLS = %i{
    admin
    avatar_force_update
    locale_force_update
    logout
    moderator
    require_activation
    suppress_welcome_message
  }

  def self.nonce_expiry_time
    @nonce_expiry_time ||= 10.minutes
  end

  def self.nonce_expiry_time=(v)
    @nonce_expiry_time = v
  end

  def self.used_nonce_expiry_time
    24.hours
  end

  attr_accessor(*ACCESSORS)
  attr_writer :sso_secret, :sso_url

  def self.sso_secret
    raise RuntimeError, "sso_secret not implemented on class, be sure to set it on instance"
  end

  def self.sso_url
    raise RuntimeError, "sso_url not implemented on class, be sure to set it on instance"
  end

  def self.parse(payload, sso_secret = nil, **init_kwargs)
    sso = new(**init_kwargs)
    sso.sso_secret = sso_secret if sso_secret

    parsed = Rack::Utils.parse_query(payload)
    decoded = Base64.decode64(parsed["sso"])
    decoded_hash = Rack::Utils.parse_query(decoded)

    if sso.sign(parsed["sso"]) != parsed["sig"]
      diags = "\n\nsso: #{parsed["sso"]}\n\nsig: #{parsed["sig"]}\n\nexpected sig: #{sso.sign(parsed["sso"])}"
      if parsed["sso"] =~ /[^a-zA-Z0-9=\r\n\/+]/m
        raise ParseError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"
      else
        raise ParseError, "Bad signature for payload #{diags}"
      end
    end

    ACCESSORS.each do |k|
      val = decoded_hash[k.to_s]
      val = val.to_i if FIXNUMS.include? k
      if BOOLS.include? k
        val = ["true", "false"].include?(val) ? val == "true" : nil
      end
      sso.public_send("#{k}=", val)
    end

    decoded_hash.each do |k, v|
      if field = k[/^custom\.(.+)$/, 1]
        sso.custom_fields[field] = v
      end
    end

    sso
  end

  def diagnostics
    SingleSignOn::ACCESSORS.map { |a| "#{a}: #{public_send(a)}" }.join("\n")
  end

  def sso_secret
    @sso_secret || self.class.sso_secret
  end

  def sso_url
    @sso_url || self.class.sso_url
  end

  def custom_fields
    @custom_fields ||= {}
  end

  def sign(payload, secret = nil)
    secret = secret || sso_secret
    OpenSSL::HMAC.hexdigest("sha256", secret, payload)
  end

  def to_json
    self.to_h.to_json
  end

  def to_url(base_url = nil)
    base = "#{base_url || sso_url}"
    "#{base}#{base.include?('?') ? '&' : '?'}#{payload}"
  end

  def payload(secret = nil)
    payload = Base64.strict_encode64(unsigned_payload)
    "sso=#{CGI::escape(payload)}&sig=#{sign(payload, secret)}"
  end

  def unsigned_payload
    Rack::Utils.build_query(self.to_h)
  end

  def to_h
    payload = {}

    ACCESSORS.each do |k|
      next if (val = public_send(k)) == nil
      payload[k] = val
    end

    @custom_fields&.each do |k, v|
      payload["custom.#{k}"] = v.to_s
    end

    payload
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`class SingleSignOn`
FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00
FIX: Return 422 instead of 500 for invalid SSO signature (#6738) 2018-12-07 10:01:44 -05:00			`class ParseError < RuntimeError; end`

FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00			`ACCESSORS = %i{`
			`add_groups`
			`admin moderator`
			`avatar_force_update`
			`avatar_url`
			`bio`
			`card_background_url`
			`email`
			`external_id`
			`groups`
			`locale`
			`locale_force_update`
FEATURE: Add logout functionality to SSO Provider protocol (#8816) This commit adds support for an optional "logout" parameter in the payload of the /session/sso_provider endpoint. If an SSO Consumer adds a "logout=true" parameter to the encoded/signed "sso" payload, then Discourse will treat the request as a logout request instead of an authentication request. The logout flow works something like this: * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!" on web browser). * SSO-Consumer site does whatever it does to destroy User's session on the SSO-Consumer site. * SSO-Consumer then redirects browser to the Discourse sso_provider endpoint, with a signed request bearing "logout=true" in addition to the usual nonce and the "return_sso_url". * Discourse destroys User's discourse session and redirects browser back to the "return_sso_url". * SSO-Consumer site does whatever it does --- notably, it cannot request SSO credentials from Discourse without the User being prompted to login again. 2020-02-03 12:53:14 -05:00			`logout`
FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00			`name`
			`nonce`
			`profile_background_url`
			`remove_groups`
			`require_activation`
			`return_sso_url`
			`suppress_welcome_message`
			`title`
			`username`
			`website`
FEATURE: support SSO website and location overrides Add location and website + the ability to override using SSO using the `sso_overrides_location` and `sso_overrides_website` site settings. 2020-04-28 02:06:35 -04:00			`location`
FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00			`}`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`FIXNUMS = []`
FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00
			`BOOLS = %i{`
			`admin`
			`avatar_force_update`
			`locale_force_update`
FEATURE: Add logout functionality to SSO Provider protocol (#8816) This commit adds support for an optional "logout" parameter in the payload of the /session/sso_provider endpoint. If an SSO Consumer adds a "logout=true" parameter to the encoded/signed "sso" payload, then Discourse will treat the request as a logout request instead of an authentication request. The logout flow works something like this: * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!" on web browser). * SSO-Consumer site does whatever it does to destroy User's session on the SSO-Consumer site. * SSO-Consumer then redirects browser to the Discourse sso_provider endpoint, with a signed request bearing "logout=true" in addition to the usual nonce and the "return_sso_url". * Discourse destroys User's discourse session and redirects browser back to the "return_sso_url". * SSO-Consumer site does whatever it does --- notably, it cannot request SSO credentials from Discourse without the User being prompted to login again. 2020-02-03 12:53:14 -05:00			`logout`
FEATURE: allow specifying locale via SSO Use: locale locale_force_update To force user locale on users where SiteSetting.allow_user_locale is enabled Note: If an invalid locale is specified no action will occur 2018-08-29 19:57:53 -04:00			`moderator`
			`require_activation`
			`suppress_welcome_message`
			`}`

DEV: allow nonce expiry time to be extended cleanly from a plugin Previously one would have to redefine a constant 2019-03-19 02:33:20 -04:00			`def self.nonce_expiry_time`
			`@nonce_expiry_time \|\|= 10.minutes`
			`end`

			`def self.nonce_expiry_time=(v)`
			`@nonce_expiry_time = v`
			`end`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00
FIX: log proper error message when SSO nonce verification fails (#14077) 2021-08-18 09:14:12 -04:00			`def self.used_nonce_expiry_time`
			`24.hours`
			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`attr_accessor(*ACCESSORS)`
Fix "duplicate method" issue Fixing http://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Lint/DuplicateMethods Readers are defined (https://github.com/discourse/discourse/blob/master/lib/single_sign_on.rb#L61), so only writers have to be generated. 2017-11-02 07:33:35 -04:00			`attr_writer :sso_secret, :sso_url`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00
			`def self.sso_secret`
			`raise RuntimeError, "sso_secret not implemented on class, be sure to set it on instance"`
			`end`

			`def self.sso_url`
			`raise RuntimeError, "sso_url not implemented on class, be sure to set it on instance"`
			`end`

SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124) 2021-02-18 05:35:10 -05:00			`def self.parse(payload, sso_secret = nil, **init_kwargs)`
			`sso = new(**init_kwargs)`
FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 04:22:10 -05:00			`sso.sso_secret = sso_secret if sso_secret`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00
			`parsed = Rack::Utils.parse_query(payload)`
FEATURE: allow multiple secrets for Discourse SSO provider This splits off the logic between SSO keys used incoming vs outgoing, it allows to far better restrict who is allowed to log in using a site. This allows for better auditing of the SSO provider feature 2018-10-15 01:03:53 -04:00			`decoded = Base64.decode64(parsed["sso"])`
			`decoded_hash = Rack::Utils.parse_query(decoded)`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`if sso.sign(parsed["sso"]) != parsed["sig"]`
improve error handling massage for bad sso requests 2014-12-29 17:23:21 -05:00			`diags = "\n\nsso: #{parsed["sso"]}\n\nsig: #{parsed["sig"]}\n\nexpected sig: #{sso.sign(parsed["sso"])}"`
missing chars 2014-12-29 17:28:44 -05:00			`if parsed["sso"] =~ /[^a-zA-Z0-9=\r\n\/+]/m`
FIX: Return 422 instead of 500 for invalid SSO signature (#6738) 2018-12-07 10:01:44 -05:00			`raise ParseError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"`
improve error handling massage for bad sso requests 2014-12-29 17:23:21 -05:00			`else`
FIX: Return 422 instead of 500 for invalid SSO signature (#6738) 2018-12-07 10:01:44 -05:00			`raise ParseError, "Bad signature for payload #{diags}"`
improve error handling massage for bad sso requests 2014-12-29 17:23:21 -05:00			`end`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`

			`ACCESSORS.each do \|k\|`
			`val = decoded_hash[k.to_s]`
			`val = val.to_i if FIXNUMS.include? k`
FEATURE: allow creating admin and moderator accounts via SSO 2014-11-26 20:39:00 -05:00			`if BOOLS.include? k`
			`val = ["true", "false"].include?(val) ? val == "true" : nil`
			`end`
DEV: Prefer `public_send` over `send`. 2019-05-06 21:27:05 -04:00			`sso.public_send("#{k}=", val)`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`
FEATURE: custom fields on User 2014-04-21 23:52:13 -04:00
			`decoded_hash.each do \|k, v\|`
tiny refactor 2017-03-27 10:21:38 -04:00			`if field = k[/^custom\.(.+)$/, 1]`
FEATURE: custom fields on User 2014-04-21 23:52:13 -04:00			`sso.custom_fields[field] = v`
			`end`
			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`sso`
			`end`

FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures 2016-04-07 21:20:01 -04:00			`def diagnostics`
DEV: move send => public_send in lib folder This handles most of the cases in `lib` where we were using send instead of public_send 2019-05-06 22:22:37 -04:00			`SingleSignOn::ACCESSORS.map { \|a\| "#{a}: #{public_send(a)}" }.join("\n")`
FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures 2016-04-07 21:20:01 -04:00			`end`

FEATURE: custom fields on User 2014-04-21 23:52:13 -04:00			`def sso_secret`
			`@sso_secret \|\| self.class.sso_secret`
			`end`

			`def sso_url`
			`@sso_url \|\| self.class.sso_url`
			`end`

			`def custom_fields`
			`@custom_fields \|\|= {}`
			`end`

FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 04:22:10 -05:00			`def sign(payload, secret = nil)`
			`secret = secret \|\| sso_secret`
FEATURE: allow multiple secrets for Discourse SSO provider This splits off the logic between SSO keys used incoming vs outgoing, it allows to far better restrict who is allowed to log in using a site. This allows for better auditing of the SSO provider feature 2018-10-15 01:03:53 -04:00			`OpenSSL::HMAC.hexdigest("sha256", secret, payload)`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`

FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353 2021-03-18 20:20:10 -04:00			`def to_json`
			`self.to_h.to_json`
			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`def to_url(base_url = nil)`
FIX: support sso_url that has query params 2014-03-19 17:14:09 -04:00			`base = "#{base_url \|\| sso_url}"`
			`"#{base}#{base.include?('?') ? '&' : '?'}#{payload}"`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`

FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 04:22:10 -05:00			`def payload(secret = nil)`
single_sign_on: encode the payload with strict_encode64 which doesn't add extraneous newlines 2017-10-17 13:41:52 -04:00			`payload = Base64.strict_encode64(unsigned_payload)`
FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 04:22:10 -05:00			`"sso=#{CGI::escape(payload)}&sig=#{sign(payload, secret)}"`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`

			`def unsigned_payload`
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353 2021-03-18 20:20:10 -04:00			`Rack::Utils.build_query(self.to_h)`
			`end`

			`def to_h`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`payload = {}`
tiny refactor 2017-03-27 10:21:38 -04:00
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`ACCESSORS.each do \|k\|`
DEV: More `send` -> `public_send`. 2019-05-06 22:05:58 -04:00			`next if (val = public_send(k)) == nil`
			`payload[k] = val`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`

tiny refactor 2017-03-27 10:21:38 -04:00			`@custom_fields&.each do \|k, v\|`
			`payload["custom.#{k}"] = v.to_s`
FEATURE: custom fields on User 2014-04-21 23:52:13 -04:00			`end`

FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353 2021-03-18 20:20:10 -04:00			`payload`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-24 22:30:49 -05:00			`end`
			`end`