Merge pull request #1 from Dainii/authentication_and_saml

Add Rodauth authentication: local account + SAML

.env.erb

@@ -1,10 +1,28 @@
+# Database connection information
 DATABASE_USERNAME=
 DATABASE_PASSWORD=
 DATABASE_HOST=localhost
 DATABASE_PORT=5432
 
+# Redis connection URL
 REDIS_URL=
 
+# Keys for data encryption
+# Can be generated with "bundle exec rails db:encryption:init"
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
+
+# Enable authentication through external SAML IDP
+ENABLE_SAML_AUTH=false
+
+# Required
+SP_ENTITY_ID=
+ACS_URL=
+
+# Either provide a metadata endpoint
+METADATA_ENDPOINT=
+
+# Or a IDP service url and a certificate
+IDP_SERVICE_URL=
+IDP_CERTIFICATE=

.github/workflows/rubyonrails.yml

@@ -29,6 +29,9 @@ jobs:
       DATABASE_PASSWORD: password
       DATABASE_HOST: localhost
       DATABASE_PORT: 5432
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: rUDelZXwv2ns9cS7PvbJTHOIIVbVbC74
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: 26WEPA1xaK9Rvd500LoLVaAk2R175au2
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: pewCYUtDK3yqnkEJP2FwvCvMJ2qfY3CT
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

.rubocop.yml

@@ -23,6 +23,8 @@ Metrics/ClassLength:
 
 Metrics/BlockLength:
   Max: 40
+  Exclude:
+    - 'app/misc/*.rb'
 
 Metrics/AbcSize:
   Enabled: false

Gemfile

@@ -34,9 +34,6 @@ gem 'redis', '>= 4.0.1'
 # Really simple JSON and XML parsing, ripped from Merb and Rails.
 gem 'crack'
 
-# Autoload dotenv in Rails
-gem 'dotenv-rails'
-
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: %i[windows jruby]
 
@@ -58,6 +55,14 @@ gem 'activejob-status'
 # Interface for secure random number generator.
 gem 'securerandom'
 
+# Provides Rails integration for Rodauth.
+gem 'omniauth-saml'
+gem 'rodauth-omniauth'
+gem 'rodauth-rails'
+gem 'rotp'
+gem 'rqrcode'
+gem 'webauthn'
+
 # Dnsruby is a pure Ruby DNS client library which implements a stub resolver.
 # It aims to comply with all DNS RFCs, including DNSSEC NSEC3 support.
 gem 'dnsruby'
@@ -68,6 +73,9 @@ group :development, :test do
 
   gem 'database_cleaner-active_record'
 
+  # Autoload dotenv in Rails
+  gem 'dotenv-rails'
+
   # Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis
   gem 'brakeman', require: false
 

Gemfile.lock

@@ -78,8 +78,14 @@ GEM
       minitest (>= 5.1)
       mutex_m
       tzinfo (~> 2.0)
+    after_commit_everywhere (1.4.0)
+      activerecord (>= 4.2)
+      activesupport
+    android_key_attestation (0.3.0)
     ast (2.4.2)
+    awrence (1.2.1)
     base64 (0.2.0)
+    bcrypt (3.1.20)
     better_html (2.0.2)
       actionview (>= 6.0)
       activesupport (>= 6.0)
@@ -88,6 +94,7 @@ GEM
       parser (>= 2.4)
       smart_properties
     bigdecimal (3.1.6)
+    bindata (2.5.0)
     bindex (0.8.1)
     bootsnap (1.18.3)
       msgpack (~> 1.2)
@@ -97,8 +104,13 @@ GEM
     bundler-audit (0.9.1)
       bundler (>= 1.2.0, < 3)
       thor (~> 1.0)
+    cbor (0.5.9.8)
+    chunky_png (1.4.0)
     concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
+    cose (1.3.0)
+      cbor (~> 0.5.9)
+      openssl-signature_algorithm (~> 1.0)
     crack (1.0.0)
       bigdecimal
       rexml
@@ -151,6 +163,7 @@ GEM
     erubi (1.12.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    hashie (5.0.0)
     htmlbeautifier (1.4.3)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
@@ -164,6 +177,8 @@ GEM
       rdoc
       reline (>= 0.4.2)
     json (2.7.1)
+    jwt (2.8.0)
+      base64
     language_server-protocol (3.17.0.3)
     loofah (2.22.0)
       crass (~> 1.0.2)
@@ -205,6 +220,16 @@ GEM
       racc (~> 1.4)
     nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
+    omniauth (2.1.2)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-saml (2.1.0)
+      omniauth (~> 2.0)
+      ruby-saml (~> 1.12)
+    openssl (3.2.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)
@@ -221,6 +246,9 @@ GEM
       nio4r (~> 2.0)
     racc (1.7.3)
     rack (3.0.9)
+    rack-protection (4.0.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0, < 4)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -269,6 +297,29 @@ GEM
     reline (0.4.2)
       io-console (~> 0.5)
     rexml (3.2.6)
+    roda (3.77.0)
+      rack
+    rodauth (2.33.0)
+      roda (>= 2.6.0)
+      sequel (>= 4)
+    rodauth-model (0.2.1)
+      rodauth (~> 2.0)
+    rodauth-omniauth (0.3.3)
+      omniauth (~> 2.0)
+      rodauth (~> 2.13)
+    rodauth-rails (1.13.0)
+      bcrypt
+      railties (>= 5.0, < 8)
+      roda (~> 3.73)
+      rodauth (~> 2.30)
+      rodauth-model (~> 0.2)
+      sequel-activerecord_connection (~> 1.1)
+      tilt
+    rotp (6.3.0)
+    rqrcode (2.2.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 1.0)
+    rqrcode_core (1.2.0)
     rspec-core (3.13.0)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.0)
@@ -318,9 +369,20 @@ GEM
       rubocop-capybara (~> 2.17)
       rubocop-factory_bot (~> 2.22)
     ruby-progressbar (1.13.0)
+    ruby-saml (1.16.0)
+      nokogiri (>= 1.13.10)
+      rexml
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
+    safety_net_attestation (0.4.0)
+      jwt (~> 2.0)
     securerandom (0.3.1)
+    sequel (5.77.0)
+      bigdecimal
+    sequel-activerecord_connection (1.3.1)
+      activerecord (>= 4.2, < 8)
+      after_commit_everywhere (~> 1.1)
+      sequel (~> 5.38)
     shoulda-matchers (6.1.0)
       activesupport (>= 5.2.0)
     simplecov (0.22.0)
@@ -352,7 +414,12 @@ GEM
     tailwindcss-rails (2.3.0-x86_64-linux)
       railties (>= 6.0.0)
     thor (1.3.0)
+    tilt (2.3.0)
     timeout (0.4.1)
+    tpm-key_attestation (0.12.0)
+      bindata (~> 2.4)
+      openssl (> 2.0)
+      openssl-signature_algorithm (~> 1.0)
     turbo-rails (2.0.2)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)
@@ -368,6 +435,15 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webauthn (3.1.0)
+      android_key_attestation (~> 0.3.0)
+      awrence (~> 1.1)
+      bindata (~> 2.4)
+      cbor (~> 0.5.9)
+      cose (~> 1.1)
+      openssl (>= 2.2)
+      safety_net_attestation (~> 0.4.0)
+      tpm-key_attestation (~> 0.12.0)
     webrick (1.8.1)
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
@@ -397,11 +473,16 @@ DEPENDENCIES
   htmlbeautifier
   importmap-rails
   mission_control-jobs
+  omniauth-saml
   pg (~> 1.1)
   propshaft
   puma (>= 5.0)
   rails (~> 7.1.3)
   redis (>= 4.0.1)
+  rodauth-omniauth
+  rodauth-rails
+  rotp
+  rqrcode
   rspec-rails
   rspec_junit_formatter
   rubocop
@@ -419,6 +500,7 @@ DEPENDENCIES
   turbo-rails
   tzinfo-data
   web-console
+  webauthn
   zlib
 
 RUBY VERSION

app/controllers/application_controller.rb

@@ -1,4 +1,10 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::Base
+  private
+
+  def current_account
+    rodauth.rails_account
+  end
+  helper_method :current_account
 end

app/controllers/authenticated_controller.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AuthenticatedController < ApplicationController
+  before_action :authenticate
+
+  private
+
+  def authenticate
+    rodauth.require_account
+  end
+end

app/controllers/domains_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class DomainsController < ApplicationController
+class DomainsController < AuthenticatedController
   before_action :set_domain, only: %i[show]
 
   # GET /domains

app/controllers/feedback_uploads_controller.rb

@@ -1,14 +1,11 @@
 # frozen_string_literal: true
 
-class FeedbackUploadsController < ApplicationController
+class FeedbackUploadsController < AuthenticatedController
   # GET /feedback_uploads/new
   def new
     @feedback_upload = FeedbackUpload.new
   end
 
-  # GET /feedback_uploads/1/edit
-  def edit; end
-
   # POST /feedback_uploads
   def create
     @feedback_upload = FeedbackUpload.new(feedback_upload_params)

app/controllers/feedbacks_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class FeedbacksController < ApplicationController
+class FeedbacksController < AuthenticatedController
   before_action :set_feedback, only: %i[show]
 
   # Get /domains/1/feedbacks/1

app/controllers/home_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class HomeController < ApplicationController
+class HomeController < AuthenticatedController
   # GET /
   def index; end
 end

app/controllers/jobs_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class JobsController < ApplicationController
+class JobsController < AuthenticatedController
   before_action :set_job, only: %i[show]
 
   # GET /jobs

app/controllers/mailboxes_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class MailboxesController < ApplicationController
+class MailboxesController < AuthenticatedController
   before_action :set_mailbox, only: %i[show edit update destroy]
 
   # GET /mailboxes

app/controllers/ptr_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class PtrController < ApplicationController
+class PtrController < AuthenticatedController
   # Get /dns/1
   def show
     @ip_addres = params[:id]

app/controllers/rodauth_controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class RodauthController < ApplicationController
+  # used by Rodauth for rendering views, CSRF protection, and running any
+  # registered action callbacks and rescue_from handlers
+end