Use google-sso instead of CAS for authentication (#252)

* add sso login

Co-authored-by: Rayhan <[email protected]>

* fix barito_superadmin not assigned correctly

Co-authored-by: Beni Budiharto <[email protected]>

* add deactivated_at attribute for User model

Co-authored-by: Beni Budiharto <[email protected]>

* remove CAS integration

Co-authored-by: Beni Budiharto <[email protected]>

* fix omniauth error on build

Co-authored-by: Beni Budiharto <[email protected]>

* add additional application.yml config example

Co-authored-by: Beni Budiharto <[email protected]>

Co-authored-by: Rayhan <[email protected]>
Co-authored-by: Rayhan Gusty Alif <[email protected]>

.gitignore

@@ -34,3 +34,6 @@ coverage
 # Ignore .vagrant
 .vagrant
 *.log
+
+
+.vscode

Gemfile

@@ -2,8 +2,7 @@ source 'https://rubygems.org'
 
 gem 'berkshelf', '<= 7.0.2'
 gem 'bootstrap', '~> 4.3.1'
-gem 'devise'
-gem 'devise_cas_authenticatable'
+gem 'devise', "~> 4.8.0"
 gem 'elasticsearch'
 gem 'execjs', '<= 2.7.0'
 gem 'faker', '<= 1.8.7'
@@ -34,6 +33,10 @@ gem 'filterrific'
 gem 'dogstatsd-ruby'
 gem 'prometheus-client'
 gem 'jaeger-client'
+gem 'omniauth'
+gem 'omniauth-google-oauth2'
+gem 'oauth2', '~> 1.4.9'
+gem 'jwt'
 
 group :development, :test do
   gem 'cane', '<= 3.0'

Gemfile.lock

@@ -49,7 +49,7 @@ GEM
     ast (2.4.0)
     autoprefixer-rails (9.6.1.1)
       execjs
-    bcrypt (3.1.13)
+    bcrypt (3.1.18)
     bcrypt_pbkdf (1.0.1)
     berkshelf (7.0.2)
       chef (>= 13.6.52)
@@ -125,7 +125,7 @@ GEM
       rake (< 13.0)
     cleanroom (1.0.0)
     coderay (1.1.2)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.10)
     connection_pool (2.2.2)
     coveralls (0.7.1)
       multi_json (~> 1.3)
@@ -137,15 +137,12 @@ GEM
       safe_yaml (~> 1.0.0)
     crass (1.0.6)
     database_cleaner (1.7.0)
-    devise (4.7.1)
+    devise (4.8.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
-    devise_cas_authenticatable (1.10.4)
-      devise (>= 1.2.0)
-      rubycas-client (>= 2.2.1)
     diff-lcs (1.3)
     docile (1.1.5)
     dogstatsd-ruby (4.5.0)
@@ -161,7 +158,7 @@ GEM
       faraday
       multi_json
     equatable (0.6.1)
-    erubi (1.9.0)
+    erubi (1.10.0)
     erubis (2.7.0)
     ethon (0.12.0)
       ffi (>= 1.3.0)
@@ -175,8 +172,29 @@ GEM
       i18n (>= 0.7)
     fakeredis (0.7.0)
       redis (>= 3.2, < 5.0)
-    faraday (0.15.4)
-      multipart-post (>= 1.2, < 3)
+    faraday (1.10.0)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.0)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
+      faraday-retry (~> 1.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-httpclient (1.0.1)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday-retry (1.0.3)
     ffi (1.11.1)
     ffi-libarchive (0.4.10)
       ffi (~> 1.0)
@@ -200,7 +218,7 @@ GEM
     http-cookie (1.0.3)
       domain_name (~> 0.5)
     httpclient (2.8.3)
-    i18n (1.8.5)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
     iniparse (1.4.4)
     ipaddress (0.8.3)
@@ -216,6 +234,7 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     json (2.3.1)
+    jwt (2.4.1)
     kaminari (1.2.1)
       activesupport (>= 4.1.0)
       kaminari-actionview (= 1.2.1)
@@ -247,7 +266,7 @@ GEM
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    loofah (2.7.0)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -262,11 +281,11 @@ GEM
       nokogiri (~> 1)
       rake
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.6.1)
     mini_racer (0.2.6)
       libv8 (>= 6.9.411)
     minitar (0.8)
-    minitest (5.14.2)
+    minitest (5.15.0)
     mixlib-archive (0.4.20)
       mixlib-log
     mixlib-authentication (2.1.1)
@@ -276,8 +295,9 @@ GEM
     mixlib-log (3.0.1)
     mixlib-shellout (2.4.4)
     molinillo (0.6.6)
-    multi_json (1.13.1)
-    multipart-post (2.1.1)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    multipart-post (2.2.3)
     necromancer (0.5.0)
     net-scp (2.0.0)
       net-ssh (>= 2.6.5, < 6.0.0)
@@ -292,9 +312,16 @@ GEM
     netrc (0.11.0)
     newrelic_rpm (6.5.0.357)
     nio4r (2.5.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
+      racc (~> 1.4)
     nori (2.6.0)
+    oauth2 (1.4.10)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
     octokit (4.14.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     ohai (15.2.5)
@@ -309,6 +336,18 @@ GEM
       plist (~> 3.1)
       systemu (~> 2.6.4)
       wmi-lite (~> 1.0)
+    omniauth (2.1.0)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-google-oauth2 (1.0.1)
+      jwt (>= 2.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.7.1)
+    omniauth-oauth2 (1.7.3)
+      oauth2 (>= 1.4, < 3)
+      omniauth (>= 1.9, < 3)
     opentracing (0.5.0)
     orderly (0.1.0)
       capybara (>= 1.1)
@@ -333,11 +372,12 @@ GEM
     puma (3.12.6)
     pundit (2.1.0)
       activesupport (>= 3.0.0)
-    rack (2.2.3)
+    racc (1.6.0)
+    rack (2.2.4)
     rack-protection (2.0.7)
       rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
     rails (5.2.2.1)
       actioncable (= 5.2.2.1)
       actionmailer (= 5.2.2.1)
@@ -354,7 +394,7 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
     railties (5.2.2.1)
       actionpack (= 5.2.2.1)
@@ -368,7 +408,7 @@ GEM
     rb-inotify (0.10.0)
       ffi (~> 1.0)
     redis (4.0.2)
-    responders (3.0.0)
+    responders (3.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
     rest-client (2.1.0)
@@ -408,9 +448,8 @@ GEM
     rubocop-rspec (1.25.0)
       rubocop (>= 0.53.0)
     ruby-progressbar (1.10.1)
+    ruby2_keywords (0.0.5)
     ruby_dep (1.5.0)
-    rubycas-client (2.3.9)
-      activesupport
     rubyntlm (0.6.2)
     rubyzip (1.3.0)
     rufus-mnemo (1.2.3)
@@ -513,7 +552,7 @@ GEM
     tty-screen (0.7.0)
     typhoeus (1.3.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.7)
+    tzinfo (1.2.9)
       thread_safe (~> 0.1)
     uglifier (4.1.20)
       execjs (>= 0.3.0, < 3)
@@ -523,8 +562,8 @@ GEM
     unicode-display_width (1.6.0)
     unicode_utils (1.4.0)
     uuidtools (2.1.5)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     web-console (3.6.2)
       actionview (>= 5.0)
       activemodel (>= 5.0)
@@ -570,8 +609,7 @@ DEPENDENCIES
   capybara (<= 3.2.1)
   coveralls (<= 0.8)
   database_cleaner (<= 1.7)
-  devise
-  devise_cas_authenticatable
+  devise (~> 4.8.0)
   dogstatsd-ruby
   elasticsearch
   execjs (<= 2.7.0)
@@ -584,11 +622,15 @@ DEPENDENCIES
   jar-dependencies (<= 0.3.12)
   jbuilder (<= 2.7.0)
   jquery-rails
+  jwt
   kaminari
   knife-solo (<= 0.7.0.pre3)
   listen (<= 3.1.5)
   mini_racer (~> 0.2.4)
   newrelic_rpm
+  oauth2 (~> 1.4.9)
+  omniauth
+  omniauth-google-oauth2
   orderly
   pg (<= 1.0.0)
   prometheus-client

app/controllers/omniauth_callbacks_controller.rb

@@ -0,0 +1,26 @@
+class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+	def google_oauth2
+		account = request.env['omniauth.auth']
+		email = account.info.email
+
+		unless User.valid_email_domain?(email)
+			flash[:alert] = 'Email domain not valid'
+			redirect_to new_user_session_path, event: :authentication
+      return
+		end
+
+		@user = User.find_or_create_by_email(email)
+		if @user && @user.deactivated_at.nil?
+			flash[:alert] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Google'
+			sign_in_and_redirect @user, event: :authentication
+		else
+			flash[:alert] = 'There is something wrong, please contact the administrator'
+			redirect_to new_user_session_path, event: :authentication
+		end
+	end
+
+    def failure
+      flash[:alert] = 'There is something wrong, please contact the administrator'
+    	redirect_to new_user_session_path
+    end
+ end

app/controllers/sessions_controller.rb

@@ -0,0 +1,7 @@
+class SessionsController < ApplicationController
+	def logout
+		sign_out current_user
+		redirect_to root_path
+	end
+
+end

app/models/user.rb

@@ -1,8 +1,8 @@
 class User < ApplicationRecord
   after_create :add_global_viewer_group, if: :is_global_viewer?
 
-  if Figaro.env.enable_cas_integration == 'true'
-    devise :cas_authenticatable, :trackable
+  if Figaro.env.enable_sso_integration == "true"
+    devise :trackable, :omniauthable, omniauth_providers: %i[google_oauth2]
   else
     devise :database_authenticatable, :trackable, :registerable
   end
@@ -24,6 +24,31 @@ def self.find_by_username_or_email(input)
     User.where("username = :input OR email = :input", input: input).first
   end
 
+  # find user by email 
+  #   if not exists, find by it's username then bind the email
+  #   if no username match, create the user
+  def self.find_or_create_by_email(email)
+    user = User.where(email: email).first
+
+    if user.nil?
+      username_from_email = email.split('@').first
+      user = User.where(username: username_from_email).first
+      unless user.nil?
+        user.update_attribute(:email, email)
+      else
+        user = User.create(username: username_from_email, email: email)
+      end
+    end
+
+    user
+  end
+
+  def self.valid_email_domain? email
+    domain = email.split('@').last
+    hosted_domains = Figaro.env.whitelisted_email_domains.to_s.split(',')
+    hosted_domains.include?(domain)
+  end
+
   def add_global_viewer_group
     group = Group.find_by(name: Figaro.env.global_viewer_role)
     group_user = GroupUser.create(