various sso fixes

.gitignore

@@ -26,3 +26,4 @@ public/system
 .env.production*
 .env.local
 .env
+*~undo-tree~

app/controllers/users/omniauth_callbacks_controller.rb

@@ -2,6 +2,8 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   # See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
   skip_before_action :verify_authenticity_token, only: :saml
 
+  skip_forgery_protection if: :saml_callback_path?
+
   def saml
     # You need to implement the method below in your model (e.g. app/models/user.rb)
     Rails.logger.error("========= SAML\n#{request.env['omniauth.auth']}\n==========")
@@ -19,4 +21,9 @@ def saml
   def failure
     redirect_to root_path
   end
-end
+
+  protected
+  def saml_callback_path?
+    request.fullpath == '/users/auth/saml/callback'
+  end
+end

app/controllers/users/sessions_controller.rb

@@ -0,0 +1,22 @@
+module Users
+  class SessionsController < Devise::SessionsController
+    def destroy
+      # Preserve the saml_uid and saml_session_index in the session
+      saml_uid = session['saml_uid']
+      saml_session_index = session['saml_session_index']
+      super do
+        session['saml_uid'] = saml_uid
+        session['saml_session_index'] = saml_session_index
+      end
+    end
+
+    def after_sign_out_path_for(_)
+	    Rails.logger.error("~~~~~~~~~~~ #{session['saml_uid']} && #{session['saml_session_index']} && #{IDP_METADATA[:idp_slo_service_url]}")
+      if session['saml_uid'] && session['saml_session_index'] && IDP_METADATA[:idp_slo_service_url]
+        user_saml_omniauth_authorize_path + "/spslo"
+      else
+        super
+      end
+    end
+  end
+end

app/models/user.rb

@@ -13,7 +13,7 @@ class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
   if ENV.fetch('SSO_ENABLED', false)
-    devise :omniauthable, :recoverable, :rememberable,
+    devise :database_authenticatable, :omniauthable, :recoverable, :rememberable,
           :trackable, omniauth_providers: [:saml]
   else
     devise :database_authenticatable, :registerable,
@@ -28,10 +28,10 @@ def to_s
   end
 
   def self.from_omniauth(auth)
-    where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
-      user.email = auth.info.email
+    where(provider: auth.provider, uid: auth.uid).first || where(email: auth.uid).first_or_create do |user|
+      user.email = auth.uid
       user.password = Devise.friendly_token[0, 20]
-      user.name = auth.info.name   # assuming the user model has a name
+      user.display_name = auth.info.display_name   # assuming the user model has a name
     end
   end
 
@@ -42,5 +42,4 @@ def self.new_with_session(params, session)
       end
     end
   end
-
 end

config/blacklight.yml

@@ -1,9 +1,12 @@
 development:
   adapter: solr
   url: <%= ENV['SOLR_DEVELOPMENT_URL'] || ENV['SOLR_URL'] || "http://127.0.0.1:#{ENV.fetch('SOLR_DEVELOPMENT_PORT', 8983)}/solr/hydra-development" %>
+beta:
+  adapter: solr
+  url: <%= ENV['SOLR_BETA_URL'] || ENV['SOLR_URL'] || "http://127.0.0.1:#{ENV.fetch('SOLR_BETA_PORT', 8983)}/solr/hydra-beta" %>
 test: &test
   adapter: solr
   url: <%= ENV['SOLR_TEST_URL'] || ENV['SOLR_URL'] || "http://127.0.0.1:#{ENV.fetch('SOLR_TEST_PORT', 8985)}/solr/hydra-test" %>
 production:
   adapter: solr
-  url: <%= ENV['SOLR_URL'] || "http://127.0.0.1:8983/solr/blacklight-core" %>
+  url: <%= ENV['SOLR_URL'] || "http://127.0.0.1:8983/solr/blacklight-core" %>

config/deploy.rb

@@ -23,10 +23,10 @@
 # set :pty, true
 
 # Default value for :linked_files is []
-append :linked_files, ".env", ".env.beta", ".env.production" 
+append :linked_files, ".env", ".env.beta", ".env.production"
 
 # Default value for linked_dirs is []
-append :linked_dirs, "log", "public/assets", "public/system", "tmp/pids", "tmp/cache", "tmp/sockets", "public/system", ".bundle"
+append :linked_dirs, "log", "public/assets", "public/system", "tmp/pids", "tmp/cache", "tmp/sockets", "public/system", ".bundle", "tmp/uploads", "tmp/imports", "tmp/exports"
 
 # Default value for default_env is {}
 # set :default_env, { path: "/opt/ruby/bin:$PATH" }
@@ -39,4 +39,3 @@
 
 # Run bundle exec before rack
 append :bundle_bins, 'rack'
-

config/deploy/beta.rb

@@ -0,0 +1,45 @@
+server "libarchive.linnbenton.edu", user: "notch8", roles: %w{app db web}
+
+set :systemd_unit, "hyrax-beta.service"
+set :systemd_use_sudo, true
+set :systemd_roles, %w(app)
+
+set :rails_env, 'beta'
+set :deploy_to, "/var/www/hyrax-beta"
+
+# Configuration
+# =============
+# You can set any configuration variable like in config/deploy.rb
+# These variables are then only loaded and set in this stage.
+# For available Capistrano configuration variables see the documentation page.
+# http://capistranorb.com/documentation/getting-started/configuration/
+# Feel free to add new variables to customise your setup.
+
+
+
+# Custom SSH Options
+# ==================
+# You may pass any option but keep in mind that net/ssh understands a
+# limited set of options, consult the Net::SSH documentation.
+# http://net-ssh.github.io/net-ssh/classes/Net/SSH.html#method-c-start
+#
+# Global options
+# --------------
+#  set :ssh_options, {
+#    keys: %w(/home/rlisowski/.ssh/id_rsa),
+#    forward_agent: false,
+#    auth_methods: %w(password)
+#  }
+#
+# The server-based syntax can be used to override options:
+# ------------------------------------
+# server "example.com",
+#   user: "user_name",
+#   roles: %w{web app},
+#   ssh_options: {
+#     user: "user_name", # overrides user setting above
+#     keys: %w(/home/user_name/.ssh/id_rsa),
+#     forward_agent: false,
+#     auth_methods: %w(publickey password)
+#     # password: "please use keys"
+#   }

config/environments/beta.rb

@@ -0,0 +1,54 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports.
+  config.consider_all_requests_local = true
+
+  # Enable/disable caching. By default caching is disabled.
+  if Rails.root.join('tmp/caching-dev.txt').exist?
+    config.action_controller.perform_caching = true
+
+    config.cache_store = :memory_store
+    config.public_file_server.headers = {
+      'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}"
+    }
+  else
+    config.action_controller.perform_caching = false
+
+    config.cache_store = :null_store
+  end
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  config.action_mailer.perform_caching = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raise an error on page load if there are pending migrations.
+  config.active_record.migration_error = :page_load
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  # This option may cause significant delays in view rendering with a large
+  # number of complex assets.
+  config.assets.debug = true
+
+  # Suppress logger output for asset requests.
+  config.assets.quiet = true
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+
+  # Use an evented file watcher to asynchronously detect changes in source code,
+  # routes, locales, etc. This feature depends on the listen gem.
+  #config.file_watcher = ActiveSupport::EventedFileUpdateChecker
+end

config/environments/production.rb

@@ -53,7 +53,7 @@
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
-  config.log_level = :debug
+  config.log_level = :info
 
   # Prepend all log lines with the following tags.
   config.log_tags = [ :request_id ]

config/fedora.yml

@@ -1,3 +1,8 @@
+beta:
+  user: fedoraAdmin
+  password: fedoraAdmin
+  url: <%= ENV['FCREPO_URL'] || 'http://127.0.0.1:8984/rest' %>
+  base_path: /beta
 development:
   user: fedoraAdmin
   password: fedoraAdmin

config/initializers/devise.rb

@@ -251,8 +251,9 @@
   # Add a new OmniAuth provider. Check the wiki for more information on setting
   # up on your models and hooks.
   # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
-  idp_metadata = OneLogin::RubySaml::IdpMetadataParser.new.parse_to_hash(File.read(Rails.root.join('config/sso_metadata.xml')))
-  config.omniauth :saml, idp_metadata.merge(sp_entity_id: 'https://libarchive.linnbenton.edu', assertion_consumer_service_url: 'https://libarchive.linnbenton.edu/user/auth/saml/callback')
+  IDP_METADATA = OneLogin::RubySaml::IdpMetadataParser.new.parse_to_hash(File.read(Rails.root.join('config/sso_metadata.xml')))
+  IDP_METADATA.merge!(sp_entity_id: 'https://libarchive.linnbenton.edu', assertion_consumer_service_url: 'https://libarchive.linnbenton.edu/users/auth/saml/callback')
+  config.omniauth :saml, IDP_METADATA
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or

config/initializers/hyrax.rb

@@ -9,6 +9,8 @@
   config.register_curation_concern :open_educational_resource
   # Injected via `rails g hyrax:work Image`
   config.register_curation_concern :image
+  # Injected via `rails g hyrax:work Video`
+  config.register_curation_concern :video
   # Register roles that are expected by your implementation.
   # @see Hyrax::RoleRegistry for additional details.
   # @note there are magical roles as defined in Hyrax::RoleRegistry::MAGIC_ROLES
@@ -133,6 +135,15 @@
   # The banner image. Should be 5000px wide by 1000px tall
   # config.banner_image = 'https://cloud.githubusercontent.com/assets/92044/18370978/88ecac20-75f6-11e6-8399-6536640ef695.jpg'
 
+  # Temporary paths to hold uploads before they are ingested into FCrepo
+  # These must be lambdas that return a Pathname. Can be configured separately
+  #  config.upload_path = ->() { Rails.root + 'tmp' + 'uploads' }
+  #  config.cache_path = ->() { Rails.root + 'tmp' + 'uploads' + 'cache' }
+
+  # Location on local file system where derivatives will be stored
+  # If you use a multi-server architecture, this MUST be a shared volume
+  config.derivatives_path = Rails.root.join('public', 'system', 'derivatives')
+
   # Should schema.org microdata be displayed?
   # config.display_microdata = true
 

config/redis.yml

@@ -1,6 +1,9 @@
 development:
   host: <%= ENV.fetch('REDIS_HOST', 'localhost') %>
   port: <%= ENV.fetch('REDIS_PORT', 6379) %>
+beta:
+  host: localhost
+  port: 6379
 test:
   host: <%= ENV.fetch('REDIS_HOST', 'localhost') %>
   port: <%= ENV.fetch('REDIS_PORT', 6379) %>

config/role_map.yml

@@ -29,4 +29,4 @@ production:
     - [email protected]
     - [email protected]
     - [email protected]
-    - support@nothc8.com
+    - support@notch8.com

config/routes.rb

@@ -14,7 +14,7 @@
     concerns :searchable
   end
 
-  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks', sessions: 'users/sessions' }
   mount Qa::Engine => '/authorities'
   mount Hyrax::Engine, at: '/'
   resources :welcome, only: 'index'

config/solr.yml

@@ -1,6 +1,8 @@
 # This is a sample config file that points to a solr server for each environment
 development:
   url: <%= ENV['SOLR_URL'] || 'http://127.0.0.1:8983/solr/hydra-development' %>
+beta:
+  url: <%= ENV['SOLR_URL'] || 'http://127.0.0.1:8983' %>/solr/hydra-beta
 test:
   url: <%= ENV['SOLR_URL'] || 'http://127.0.0.1:8983/solr/hydra-test' %>
 production:

lib/tasks/derivatives.rake

@@ -0,0 +1,23 @@
+namespace :derivatives do
+	desc 'Loop over all objects and regenerative derivatives'
+	task regenerate: [:environment] do
+		Hyrax.config.curation_concerns.each do |concern|
+      		concern.all.map(&:members).each do |members|
+        		next if members.blank?
+        		members.each do |member|
+          			next unless member.is_a?(FileSet)
+          			if member.original_file.nil?
+            				puts "No :original_file relation returned for FileSet (#{member.id})"
+            				next
+          			end
+		       		wrapper = JobIoWrapper.find_by(file_set_id: member.id)
+       				path_hint = wrapper.uploaded_file ? wrapper.uploaded_file.uploader.path : wrapper.path
+          			Rails.logger.debug("Regenerating derivatives for FileSet #{member.id} in the background")
+          			puts "Queueing (#{member.id})"
+          			CharacterizeJob.perform_later(member, member.original_file.id, path_hint)
+				sleep(40)
+			end
+		end
+	end
+	end
+end