DO NOT MERGE: Example PR for implementing SSO/Shibboleth

Gemfile

@@ -68,8 +68,8 @@ gem 'grape_on_rails_routes'
 gem 'hydra-role-management'
 gem 'hyrax', '2.9.6'
 gem 'mysql2', '~> 0.4.10'
-gem 'omniauth-openid'
-gem 'omniauth-shibboleth'
+  gem 'omniauth-openid'
+  gem 'omniauth-shibboleth'
 gem 'orcid', git: 'https://github.com/uclibs/orcid', branch: 'rails-5.x'
 gem 'riiif', '~> 2.0'
 gem 'rsolr', '>= 1.0'
@@ -81,10 +81,10 @@ group :development, :test do
   gem 'bixby', '>= 1.0.0'
   gem 'byebug', platform: :mri
   gem 'fcrepo_wrapper'
-  gem 'rails-controller-testing'
+    gem 'rails-controller-testing'
   gem 'rspec-its'
   gem 'rspec-rails'
-  gem 'show_me_the_cookies'
+    gem 'show_me_the_cookies'
   gem 'solr_wrapper', '>= 0.3'
   gem 'vcr'
   gem 'webmock'

app/controllers/application_controller.rb

@@ -15,30 +15,30 @@ class ApplicationController < ActionController::Base
   with_themed_layout '1_column'
   protect_from_forgery with: :exception
 
-  private
+    private
 
-  # override devise helper and route to CC.new when parameter is set
-  def after_sign_in_path_for(resource)
-    cookies[:login_type] = {
-      value: "local",
-      secure: Rails.env.production?
-    }
-    if !resource.waived_welcome_page
-      Rails.application.routes.url_helpers.welcome_page_index_path
-    else
-      Rails.application.routes.url_helpers.new_classify_concern_path
+    # override devise helper and route to CC.new when parameter is set
+    def after_sign_in_path_for(resource)
+      cookies[:login_type] = {
+        value: "local",
+        secure: Rails.env.production?
+      }
+      if !resource.waived_welcome_page
+        Rails.application.routes.url_helpers.welcome_page_index_path
+      else
+        Rails.application.routes.url_helpers.new_classify_concern_path
+      end
     end
-  end
 
-  def after_sign_out_path_for(_resource_or_scope)
-    if cookies[:login_type] == "shibboleth"
-      "/Shibboleth.sso/Logout?return=https%3A%2F%2F" + ENV['SCHOLAR_SHIBBOLETH_LOGOUT']
-    else
-      root_path
+    def after_sign_out_path_for(_resource_or_scope)
+      if cookies[:login_type] == "shibboleth"
+        "/Shibboleth.sso/Logout?return=https%3A%2F%2F" + ENV['SCHOLAR_SHIBBOLETH_LOGOUT']
+      else
+        root_path
+      end
     end
-  end
 
-  def auth_shib_user!
-    redirect_to login_path unless user_signed_in?
-  end
+    def auth_shib_user!
+      redirect_to login_path unless user_signed_in?
+    end
 end

app/controllers/callbacks_controller.rb

@@ -7,79 +7,79 @@ def orcid
     redirect_to root_path, notice: "You have successfully connected with your ORCID record"
   end
 
-  def shibboleth
-    if current_user
-      redirect_to Hyrax::Engine.routes.url_helpers.dashboard_path
-    else
-      retrieve_shibboleth_attributes
-      create_or_update_user
-      sign_in_shibboleth_user
+    def shibboleth
+      if current_user
+        redirect_to Hyrax::Engine.routes.url_helpers.dashboard_path
+      else
+        retrieve_shibboleth_attributes
+        create_or_update_user
+        sign_in_shibboleth_user
+      end
     end
-  end
 
-  private
+    private
 
-  def retrieve_shibboleth_attributes
-    @omni = request.env["omniauth.auth"]
-    @email = use_uid_if_email_is_blank
-  end
+    def retrieve_shibboleth_attributes
+      @omni = request.env["omniauth.auth"]
+      @email = use_uid_if_email_is_blank
+    end
 
-  def create_or_update_user
-    unless user_exists?
-      create_user
-      send_welcome_email
+    def create_or_update_user
+      unless user_exists?
+        create_user
+        send_welcome_email
+      end
+      update_user_shibboleth_attributes if user_has_never_logged_in?
+      update_user_shibboleth_perishable_attributes
     end
-    update_user_shibboleth_attributes if user_has_never_logged_in?
-    update_user_shibboleth_perishable_attributes
-  end
 
-  def sign_in_shibboleth_user
-    sign_in_and_redirect @user, event: :authentication # this will throw if @user is not activated
-    cookies[:login_type] = {
-      value: "shibboleth",
-      secure: Rails.env.production?
-    }
-    flash[:notice] = "You are now signed in as #{@user.name} (#{@user.email})"
-  end
+    def sign_in_shibboleth_user
+      sign_in_and_redirect @user, event: :authentication # this will throw if @user is not activated
+      cookies[:login_type] = {
+        value: "shibboleth",
+        secure: Rails.env.production?
+      }
+      flash[:notice] = "You are now signed in as #{@user.name} (#{@user.email})"
+    end
 
-  def use_uid_if_email_is_blank
-    # If user has no email address use their [email protected] instead
-    # Some test accounts on QA/dev don't have email addresses
-    return @omni.extra.raw_info.mail if defined?(@omni.extra.raw_info.mail) && @omni.extra.raw_info.mail.present?
-    @omni.uid
-  end
+    def use_uid_if_email_is_blank
+      # If user has no email address use their [email protected] instead
+      # Some test accounts on QA/dev don't have email addresses
+      return @omni.extra.raw_info.mail if defined?(@omni.extra.raw_info.mail) && @omni.extra.raw_info.mail.present?
+      @omni.uid
+    end
 
-  def user_exists?
-    @user = User.where(provider: @omni['provider'], uid: @omni['uid']).first
-  end
+    def user_exists?
+      @user = User.where(provider: @omni['provider'], uid: @omni['uid']).first
+    end
 
-  def user_has_never_logged_in?
-    @user.sign_in_count.zero?
-  end
+    def user_has_never_logged_in?
+      @user.sign_in_count.zero?
+    end
 
-  def create_user
-    @user = User.create provider: @omni.provider,
-                        uid: @omni.uid,
-                        email: @email,
-                        password: Devise.friendly_token[0, 20],
-                        profile_update_not_required: false
-  end
+    def create_user
+      @user = User.create provider: @omni.provider,
+                          uid: @omni.uid,
+                          email: @email,
+                          password: Devise.friendly_token[0, 20],
+                          profile_update_not_required: false
+    end
 
-  def update_user_shibboleth_attributes
-    @user.title              = @omni.extra.raw_info.title
-    @user.telephone          = @omni.extra.raw_info.telephoneNumber
-    @user.first_name         = @omni.extra.raw_info.givenName
-    @user.last_name          = @omni.extra.raw_info.sn
-    @user.save
-  end
+    def update_user_shibboleth_attributes
+      @user.title              = @omni.extra.raw_info.title
+      @user.telephone          = @omni.extra.raw_info.telephoneNumber
+      @user.first_name         = @omni.extra.raw_info.givenName
+      @user.last_name          = @omni.extra.raw_info.sn
+      @user.save
+    end
 
-  def update_user_shibboleth_perishable_attributes
-    @user.uc_affiliation     = @omni.extra.raw_info.uceduPrimaryAffiliation
-    @user.ucdepartment       = @omni.extra.raw_info.ou
-    @user.save
-  end
+    def update_user_shibboleth_perishable_attributes
+      @user.uc_affiliation     = @omni.extra.raw_info.uceduPrimaryAffiliation
+      @user.ucdepartment       = @omni.extra.raw_info.ou
+      @user.save
+    end
 
-  def send_welcome_email
-    WelcomeMailer.welcome_email(@user).deliver
-  end
+    def send_welcome_email
+      WelcomeMailer.welcome_email(@user).deliver
+    end
 end

app/controllers/devise/passwords_controller.rb

@@ -1,21 +1,21 @@
-# frozen_string_literal: true
+  # frozen_string_literal: true
 
-require Devise::Engine.root.join('app/controllers/devise/passwords_controller.rb')
-class Devise::PasswordsController
-  # POST /resource/password
-  def create
-    if resource_params['email'].end_with? '@uc.edu'
-      redirect_to login_path
-      flash[:notice] = "You cannot reset passwords for @uc.edu accounts.  Use your UC Central Login instead."
-    else
-      self.resource = resource_class.send_reset_password_instructions(resource_params)
-      yield resource if block_given?
-
-      if successfully_sent?(resource)
-        respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+  require Devise::Engine.root.join('app/controllers/devise/passwords_controller.rb')
+  class Devise::PasswordsController
+    # POST /resource/password
+    def create
+      if resource_params['email'].end_with? '@uc.edu'
+        redirect_to login_path
+        flash[:notice] = "You cannot reset passwords for @uc.edu accounts.  Use your UC Central Login instead."
       else
-        respond_with(resource)
+        self.resource = resource_class.send_reset_password_instructions(resource_params)
+        yield resource if block_given?
+
+        if successfully_sent?(resource)
+          respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+        else
+          respond_with(resource)
+        end
       end
     end
   end
-end

app/controllers/static_controller.rb

@@ -49,15 +49,15 @@ def doi_help
     render "static/doi_help"
   end
 
-  def login
-    if current_user
-      redirect_to Hyrax::Engine.routes.url_helpers.dashboard_path
-    elsif AUTH_CONFIG['shibboleth_enabled']
-      render "static/login"
-    else
-      redirect_to new_user_session_path
+    def login
+      if current_user
+        redirect_to Hyrax::Engine.routes.url_helpers.dashboard_path
+      elsif AUTH_CONFIG['shibboleth_enabled']
+        render "static/login"
+      else
+        redirect_to new_user_session_path
+      end
     end
-  end
 
   def whats_new
     render "static/whats_new"

app/models/user.rb

@@ -15,8 +15,8 @@ class User < ApplicationRecord
   include Blacklight::User
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
-  devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, omniauth_providers: [:orcid, :shibboleth]
+    devise :database_authenticatable, :registerable,
+           :recoverable, :rememberable, :trackable, :validatable, :omniauthable, omniauth_providers: [:orcid, :shibboleth]
 
   # Method added by Blacklight; Blacklight uses #to_s on your
   # user class to get a user-displayable login/identifier for

app/views/_user_util_links.html.erb

@@ -19,9 +19,9 @@
         <li><%= link_to t("hyrax.toolbar.profile.view"), hyrax.dashboard_profile_path(current_user) %></li>
         <li><%= link_to t("hyrax.toolbar.profile.edit"), hyrax.edit_dashboard_profile_path(current_user) %></li>
         <li class="divider"></li>
-        <% unless current_user.provider == "shibboleth" %>
-          <li><%= link_to t("hyku.toolbar.profile.edit_registration"), main_app.edit_user_registration_path %></li>
-        <% end %>
+          <% unless current_user.provider == "shibboleth" %>
+            <li><%= link_to t("hyku.toolbar.profile.edit_registration"), main_app.edit_user_registration_path %></li>
+          <% end %>
         <li><%= link_to t("hyrax.toolbar.profile.logout"), main_app.destroy_user_session_path %></li>
       </ul>
     </li><!-- /.btn-group -->

app/views/devise/passwords/new.html.erb

@@ -1,16 +1,16 @@
-<h2>Forgot your password?</h2>
+  <h2>Forgot your password?</h2>
 
-<p>Note: If you have a <strong>uc.edu</strong> email address, do <strong>not</strong> use this form to reset your password. Use the <%= link_to 'Central Login form', user_shibboleth_omniauth_authorize_path %> instead.</p>
+  <p>Note: If you have a <strong>uc.edu</strong> email address, do <strong>not</strong> use this form to reset your password. Use the <%= link_to 'Central Login form', user_shibboleth_omniauth_authorize_path %> instead.</p>
 
-<%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= render "devise/shared/error_messages", resource: resource %>
+  <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
+    <%= render "devise/shared/error_messages", resource: resource %>
 
-  <div class="field">
-    <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true %>
-  </div>
+    <div class="field">
+      <%= f.label :email %><br />
+      <%= f.email_field :email, autofocus: true %>
+    </div>
 
-  <div class="actions">
-    <p><%= f.submit "Send me reset password instructions" %></p>
-  </div>
-<% end %>
+    <div class="actions">
+      <p><%= f.submit "Send me reset password instructions" %></p>
+    </div>
+  <% end %>