mirror of
https://github.com/zammad/zammad
synced 2026-05-24 09:48:36 +00:00
ac64d768aa
This removes several legacy compatibility layers that have been deprecated for Zammad 6.0: - `ApplicationController::Authenticates.permission_check` unused method removed - `ApplicationController::Authenticates.authentication_check_only` removed unused parameter `auth_params` - `ApplicationController::Authenticates.authentication_check_prerequesits ` removed unused parameter `auth_params` - `HasObjectManagerAttributesValidation` unused concern removed - `Ticket::Escalation.rebuild_all` unused method removed - `Store.add` unused method removed - Deprecated redirect rake Tasks `searchindex:*` removed - Deprecated legacy wrapper `Cache` removed
142 lines
4.7 KiB
Ruby
142 lines
4.7 KiB
Ruby
# Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
|
|
|
|
module ApplicationController::Authenticates
|
|
extend ActiveSupport::Concern
|
|
|
|
private
|
|
|
|
def authentication_check(basic_auth_prompt: nil)
|
|
user = authentication_check_only
|
|
|
|
# check if basic_auth fallback is possible
|
|
if basic_auth_prompt && !user
|
|
request_http_basic_authentication
|
|
return false
|
|
end
|
|
|
|
# return auth not ok
|
|
if !user
|
|
raise Exceptions::Forbidden, __('Authentication required')
|
|
end
|
|
|
|
# return auth ok
|
|
true
|
|
end
|
|
|
|
def authentication_check_only
|
|
if %w[test development].include?(Rails.env) && ENV['FAKE_SELENIUM_LOGIN_USER_ID'].present? && session[:user_id].blank?
|
|
session[:user_id] = ENV['FAKE_SELENIUM_LOGIN_USER_ID'].to_i
|
|
session[:user_device_updated_at] = Time.zone.now
|
|
end
|
|
|
|
# logger.debug 'authentication_check'
|
|
# logger.debug params.inspect
|
|
# logger.debug session.inspect
|
|
# logger.debug cookies.inspect
|
|
authentication_errors = []
|
|
|
|
# already logged in, early exit
|
|
if session.id && session[:user_id]
|
|
logger.debug { 'session based auth check' }
|
|
user = User.lookup(id: session[:user_id])
|
|
return authentication_check_prerequesits(user, 'session') if user
|
|
|
|
authentication_errors.push("Can't find User with ID #{session[:user_id]} from Session")
|
|
end
|
|
|
|
# check http basic based authentication
|
|
authenticate_with_http_basic do |username, password|
|
|
request.session_options[:skip] = true # do not send a session cookie
|
|
logger.debug { "http basic auth check '#{username}'" }
|
|
if Setting.get('api_password_access') == false
|
|
raise Exceptions::Forbidden, 'API password access disabled!'
|
|
end
|
|
|
|
auth = Auth.new(username, password)
|
|
return authentication_check_prerequesits(auth.user, 'basic_auth') if auth.valid?
|
|
|
|
authentication_errors.push(__('Invalid BasicAuth credentials'))
|
|
end
|
|
|
|
# check http token based authentication
|
|
authenticate_with_http_token do |token_string, _options|
|
|
logger.debug { "http token auth check '#{token_string}'" }
|
|
request.session_options[:skip] = true # do not send a session cookie
|
|
if Setting.get('api_token_access') == false
|
|
raise Exceptions::Forbidden, 'API token access disabled!'
|
|
end
|
|
|
|
user = Token.check(
|
|
action: 'api',
|
|
name: token_string,
|
|
inactive_user: true,
|
|
)
|
|
|
|
if user
|
|
token = Token.find_by(name: token_string)
|
|
|
|
token.last_used_at = Time.zone.now
|
|
token.save!
|
|
|
|
if token.expires_at &&
|
|
Time.zone.today >= token.expires_at
|
|
raise Exceptions::NotAuthorized, __('Not authorized (token expired)!')
|
|
end
|
|
|
|
@_token = token # remember for Pundit authorization / permit!
|
|
end
|
|
|
|
@_token_auth = token_string # remember for permission_check
|
|
return authentication_check_prerequesits(user, 'token_auth') if user
|
|
|
|
authentication_errors.push(__("Can't find User for Token"))
|
|
end
|
|
|
|
# check oauth2 token based authentication
|
|
token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
|
|
if token
|
|
request.session_options[:skip] = true # do not send a session cookie
|
|
logger.debug { "OAuth2 token auth check '#{token}'" }
|
|
access_token = Doorkeeper::AccessToken.by_token(token)
|
|
|
|
raise Exceptions::NotAuthorized, __('The provided token is invalid.') if !access_token
|
|
|
|
# check expire
|
|
if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
|
|
raise Exceptions::NotAuthorized, __('OAuth2 token is expired!')
|
|
end
|
|
|
|
# if access_token.scopes.empty?
|
|
# raise Exceptions::NotAuthorized, 'OAuth2 scope missing for token!'
|
|
# end
|
|
|
|
user = User.find(access_token.resource_owner_id)
|
|
return authentication_check_prerequesits(user, 'token_auth') if user
|
|
|
|
authentication_errors.push("Can't find User with ID #{access_token.resource_owner_id} for OAuth2 token")
|
|
end
|
|
|
|
return false if authentication_errors.blank?
|
|
|
|
raise Exceptions::NotAuthorized, authentication_errors.join(', ')
|
|
end
|
|
|
|
def authentication_check_prerequesits(user, auth_type)
|
|
raise Exceptions::Forbidden, __('Maintenance mode enabled!') if in_maintenance_mode?(user)
|
|
|
|
raise_unified_login_error if !user.active
|
|
|
|
current_user_set(user, auth_type)
|
|
user_device_log(user, auth_type)
|
|
logger.debug { "#{auth_type} for '#{user.login}'" }
|
|
user
|
|
end
|
|
|
|
def raise_unified_login_error
|
|
raise Exceptions::NotAuthorized, __('Login failed. Have you double-checked your credentials and completed the email verification step?')
|
|
end
|
|
|
|
def authenticate_and_authorize!
|
|
authentication_check && authorize!
|
|
end
|
|
end
|