VERSION. TWO. (#42)

* INITIAL SAML SUPPORT WOO YEA BABEY

it works?

* wawa

* mwaow

* b

* WOAG

* mph

* bunch more stuff

* new OAuth screen

* add trust level to oauth apps

* [community oauth] new scopes, validate only some community ones

* bleh

* my info first pass

* sessions and 2fa

* oauth authorizations/revoke

* nuke sms

* fix drift

* remove hcid on ident#edit

* attack our rack?

* session fixation't

* first pass at stepup auth

* eye eighteen en

* fix brand

* think that does it for dev mode!

* add promote to full user button

* first crack at landing page

* better sessions

* better id edit

* better verf

* less css pass 1

* add phone no

* better cssed?

* securité

* switch from slocks

* HCA

* touch last seen at

* session fingerprinting

* improved?

* localize scopes

* add proper oauth welcome

* eepier tutorial

* how long was that like that?!

* common blankslate

* better addresses?

* [backend] fix reprovisioning and promotion

* improve addresses

* ICONS, BEAUTIFUL ICONS

* primary sidebar

* saml welcome?

* new totp flow?

* marginally better login sec

* better print for backup codes!

* MASSIVE LINT PASS

* autocompletes

* woops

* new staging

* actual login code txnl

* no more legacy slack account linking

* fake slack in staging

* no account yet?

* add samls for staging

* fix slack_staging

* lint

* frickin' xmlsec

* no validate keys ?

* AUGH

* ASGJHFGSDJFG

* shoot me

* aieeeee

* SCHEIßE

* no more attempt association on code

* believe in prefers-color-scheme

* fix verf icon

* nuke vestigial aadhaar functionality

thanks deployor!

* fix xmlsec on gh ci

* remove identity (#27)

* move idcon flashes to locale

* remove dead code impersonation logic

h/t ian!

* fix hx-confirm on delete address?

* add missing dev app locale key

* fix #28

* wait, i'm an idiot (#28)

* THERE WE GO

* add paper_trail to more stuff

* red delete btn

* more red delete btns

* THE AUDIT LOGS UPDATE

* yuge lint pass

* Fix icons (#33)

Some icons didn't have a fill nor a viewbox

* weh

* first pass at docs

* memoize docs, fix 404

* [docs] add crappy erb support

* support non-e+ flow

* fix no devmode locale

* DOCS DOCS DOCS

* tldr dev doc

* anti-clickjacking countdown (h/t @J-Meow)

* weh

* get rid of those, they do nothing for us

* dependent destroy

* find user via scim if ent

* save nav channel ids

* fix base onboarding scenario

* only unique among the living

* add SAML debug

* simplify legacy_email

* add UAT env

* we ARE

* add slack to uat

* no entity id?

* fix saml if logged out

* fix scim assignment?

* bring channels into config

* darn it

* try backoff on assign_to_workspace?? this feels problematic

* do the scim docs lie?

* that was dumb

* Revert "do the scim docs lie?"

This reverts commit 69310db.

* Revert "try backoff on assign_to_workspace?? this feels problematic"

This reverts commit 7a5edd6.

* this some bull shit

* internal tutorial by default

* 18 point something

* fixes: componentize login, no more viewcontext, parse sp-initiated saml better

* one return to.

* just send it

* fix replay bug

* fix URL in welcome docs page (#38)

* simplify login/signup flow, s/faq/terms + privacy

* no more H... we hardly knew you

* first pass at reddening

* red pt. 2

* she's red for an AMAZING reason

* lint pass

* fix tooled tips

* another docs pass

* initial pass at factorybotting docs

* scope diffing for api docs!

* wait we don't need a legend lol

* add verf status to community apps

* fricken lint

* make current_user not nomethod

* move are_we_enterprise_yet to a flipper flag

* improve slack racing

* allow not creating slack

* factorybot in prod for api docs!

* LOL, LMAO

* properly set owner on oauthorizations

* lint pass

* bypass age on existing users

* fix that...

---------

Co-authored-by: Leo <[email protected]>
Co-authored-by: Tom (Deployor) <[email protected]>
Co-authored-by: DaInfLoop <[email protected]>

Author: 4 people

.github/workflows/ci.yml

@@ -13,6 +13,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev libxmlsec1-openssl pkg-config
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -28,6 +31,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev libxmlsec1-openssl pkg-config
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

.gitignore

@@ -46,3 +46,7 @@ node_modules
 /config/credentials/staging.key
 
 /config/credentials/development.key
+
+.idea
+**/.DS_Store
+/config/credentials/uat.key

.rspec

@@ -0,0 +1 @@
+--require spec_helper

Dockerfile

@@ -17,7 +17,7 @@ WORKDIR /rails
 # Install base packages with runtime libraries for libheif
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y curl libjemalloc2 libvips imagemagick postgresql-client libffi-dev \
-    libjpeg62-turbo libaom3 libx265-199 libde265-0 libpng16-16 wget && \
+    libjpeg62-turbo libaom3 libx265-199 libde265-0 libpng16-16 wget libxmlsec1 libxmlsec1-openssl && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
@@ -40,7 +40,7 @@ FROM base AS build
 # Install packages needed to build gems
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y curl libjemalloc2 libvips imagemagick postgresql-client libffi-dev build-essential git libpq-dev libyaml-dev pkg-config \
-    cmake libjpeg-dev libpng-dev libaom-dev libx265-dev libde265-dev && \
+    cmake libjpeg-dev libpng-dev libaom-dev libx265-dev libde265-dev libxmlsec1-dev libxmlsec1 libxmlsec1-openssl && \
     # Build libheif from latest source with examples
     cd /tmp && \
     git clone --depth 1 https://github.com/strukturag/libheif.git && \

Dockerfile.worker

@@ -16,7 +16,7 @@ WORKDIR /rails
 
 # Install base packages
 RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libjemalloc2 libvips imagemagick libheif-dev postgresql-client libffi-dev && \
+    apt-get install --no-install-recommends -y curl libjemalloc2 libvips imagemagick libheif-dev postgresql-client libffi-dev libxmlsec1-dev libxmlsec1 libxmlsec1-openssl && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 

Gemfile

@@ -31,6 +31,9 @@ group :development, :test do
 
   # Omakase Ruby styling [https://github.com/rails/rubocop-rails-omakase/]
   gem "rubocop-rails-omakase", require: false
+
+  # Testing framework
+  gem "rspec-rails", "~> 7.1"
 end
 
 group :development do
@@ -113,6 +116,7 @@ gem "ruby-vips", "~> 2.2"
 gem "slack-ruby-client", "~> 2.6"
 
 gem "redcarpet", "~> 3.6"
+gem "front_matter_parser", "~> 1.0"
 
 gem "flipper", "~> 1.3"
 gem "flipper-ui", "~> 1.3"
@@ -121,3 +125,20 @@ gem "flipper-active_record", "~> 1.3"
 gem "annotaterb", "~> 4.19"
 
 gem "erb_lint", "~> 0.9.0", group: :development
+
+gem "saml2", "~> 3.2"
+
+gem "geocoder", "~> 1.8"
+
+gem "rotp", "~> 6.3"
+gem "rqrcode", "~> 2.0"
+
+gem "bcrypt", "~> 3.1"
+
+gem "rack-attack", "~> 6.7"
+
+gem "browser", "~> 6.0"
+
+gem "slocks", "~> 0.1.0"
+
+gem "factory_bot_rails", "~> 6.4"

Gemfile.lock

@@ -115,6 +115,7 @@ GEM
     aws-sigv4 (1.12.0)
       aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.2.0)
+    bcrypt (3.1.20)
     benchmark (0.4.0)
     better_html (2.1.1)
       actionview (>= 6.0)
@@ -133,9 +134,11 @@ GEM
       msgpack (~> 1.2)
     brakeman (7.1.0)
       racc
+    browser (6.2.0)
     builder (3.3.0)
     childprocess (5.1.0)
       logger (~> 1.5)
+    chunky_png (1.4.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.3)
     console1984 (0.2.2)
@@ -146,10 +149,12 @@ GEM
     countries (7.1.1)
       unaccent (~> 0.3)
     crass (1.0.6)
+    csv (3.3.5)
     date (3.4.1)
     debug (1.10.0)
       irb (~> 1.10)
       reline (>= 0.3.8)
+    diff-lcs (1.6.2)
     domain_name (0.6.20240107)
     doorkeeper (5.8.2)
       railties (>= 5)
@@ -167,6 +172,11 @@ GEM
     erubi (1.13.1)
     et-orbi (1.2.11)
       tzinfo
+    factory_bot (6.5.6)
+      activesupport (>= 6.1.0)
+    factory_bot_rails (6.5.1)
+      factory_bot (~> 6.5)
+      railties (>= 6.1.0)
     faraday (2.13.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
@@ -202,9 +212,13 @@ GEM
       rack-protection (>= 1.5.3, < 5.0.0)
       rack-session (>= 1.0.2, < 3.0.0)
       sanitize (< 8)
+    front_matter_parser (1.0.1)
     fugit (1.11.1)
       et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
+    geocoder (1.8.6)
+      base64 (>= 0.1.0)
+      csv (>= 3.0.0)
     gli (2.22.2)
       ostruct
     globalid (1.2.1)
@@ -325,6 +339,8 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.8-x86_64-linux-musl)
       racc (~> 1.4)
+    nokogiri-xmlsec-instructure (0.12.0)
+      nokogiri (~> 1.13)
     ostruct (0.6.1)
     paper_trail (16.0.0)
       activerecord (>= 6.1)
@@ -364,6 +380,8 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.1.15)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
@@ -423,7 +441,29 @@ GEM
       rack (>= 1.4)
     rexml (3.4.1)
     rinku (2.0.6)
+    rotp (6.3.0)
     rouge (4.5.2)
+    rqrcode (2.2.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 1.0)
+    rqrcode_core (1.2.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-rails (7.1.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
+    rspec-support (3.13.6)
     rubocop (1.75.7)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
@@ -456,6 +496,10 @@ GEM
     ruby-vips (2.2.4)
       ffi (~> 1.12)
       logger
+    saml2 (3.2.3)
+      activesupport (>= 3.2, < 8.2)
+      nokogiri (>= 1.5.8, < 2.0)
+      nokogiri-xmlsec-instructure (~> 0.9, >= 0.9.5)
     sanitize (7.0.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.16.8)
@@ -471,6 +515,9 @@ GEM
       gli
       hashie
       logger
+    slocks (0.1.0)
+      actionview (>= 6.0)
+      activesupport (>= 6.0)
     smart_properties (1.17.0)
     stringio (3.1.7)
     superform (0.5.1)
@@ -539,19 +586,24 @@ DEPENDENCIES
   audits1984 (~> 0.1.7)
   awesome_print (~> 1.9)
   aws-sdk-s3 (~> 1.189)
+  bcrypt (~> 3.1)
   blind_index (~> 2.7)
   bootsnap
   brakeman
+  browser (~> 6.0)
   console1984 (~> 0.2.2)
   countries (~> 7.1)
   debug
   doorkeeper (~> 5.8)
   dotenv
   erb_lint (~> 0.9.0)
+  factory_bot_rails (~> 6.4)
   faraday (~> 2.13)
   flipper (~> 1.3)
   flipper-active_record (~> 1.3)
   flipper-ui (~> 1.3)
+  front_matter_parser (~> 1.0)
+  geocoder (~> 1.8)
   good_job (~> 4.10)
   hashid-rails (~> 1.4)
   honeybadger (~> 5.28)
@@ -572,12 +624,18 @@ DEPENDENCIES
   public_activity (~> 3.0)
   puma (>= 5.0)
   pundit (~> 2.5)
+  rack-attack (~> 6.7)
   rails (~> 8.0.2)
   rails_semantic_logger (~> 4.17)
   redcarpet (~> 3.6)
+  rotp (~> 6.3)
+  rqrcode (~> 2.0)
+  rspec-rails (~> 7.1)
   rubocop-rails-omakase
   ruby-vips (~> 2.2)
+  saml2 (~> 3.2)
   slack-ruby-client (~> 2.6)
+  slocks (~> 0.1.0)
   superform (~> 0.5.1)
   thruster
   tzinfo-data

app/components/api_example.rb

@@ -5,7 +5,7 @@ class Components::APIExample < Components::Base
   prop :path_only, _Boolean?
 
   def view_template
-    div style: { margin: "10px 0" } do
+      # div style: { margin: "10px 0" } do
       code style: { background: "black", padding: "0.2em", color: "white" } do
         span style: { color: "cyan" } do
           @method
@@ -19,6 +19,6 @@ def view_template
           end
         end
       end
-    end
+    # end
   end
 end

app/components/auth_welcome.rb

@@ -0,0 +1,92 @@
+class Components::AuthWelcome < Components::Base
+  include Phlex::Rails::Helpers::DistanceOfTimeInWordsToNow
+
+  def initialize(headline:, subtitle:, return_to: nil)
+    @headline = headline
+    @subtitle = subtitle
+    @return_to = return_to
+  end
+
+  def view_template
+    div(class: "auth-container") do
+      div(class: "auth-card") do
+        render_header
+        render_actions
+        render_footer
+      end
+    end
+  end
+
+  private
+
+  def render_header
+    header do
+      h1 { @headline }
+      small { @subtitle }
+    end
+  end
+
+  def render_actions
+    login_url = @return_to ? "/login?return_to=#{CGI.escape(@return_to)}" : "/login"
+
+    div(style: "margin: 3rem 0;") do
+      form(
+        action: login_url,
+        method: "post"
+      ) do
+        input(type: "hidden", name: "authenticity_token", value: helpers.form_authenticity_token)
+
+        div(style: "margin-bottom: 1rem;") do
+          input(
+            type: "email",
+            name: "email",
+            placeholder: t("identities.email_placeholder"),
+            required: true,
+            autocomplete: "email",
+            style: "width: 100%;"
+          )
+
+          small(style: "color: var(--muted-color); display: block; margin-top: 0.5rem;") do
+            plain helpers.t("logins.welcome.email_help")
+          end
+        end
+
+        button(
+          type: "submit",
+          class: "primary",
+          style: "width: 100%; margin-top: 1rem;"
+        ) do
+          plain helpers.t("logins.welcome.continue")
+          whitespace
+          plain "→"
+        end
+      end
+    end
+  end
+
+  def render_footer
+    footer(class: "welcome-footer") do
+      p(class: "welcome-links") do
+        a(href: "/docs/privacy") { "Privacy" }
+        plain " • "
+        a(href: "/docs/terms-of-service") { "Terms" }
+      end
+
+      if Rails.application.config.try(:git_version).present?
+        span(class: "welcome-version") do
+          plain "Build "
+          if Rails.application.config.try(:commit_link).present?
+            a(href: Rails.application.config.commit_link, target: "_blank") do
+              Rails.application.config.git_version
+            end
+          else
+            plain Rails.application.config.git_version
+          end
+          if Rails.application.config.try(:server_start_time).present?
+            plain " from #{distance_of_time_in_words_to_now(Rails.application.config.server_start_time)} ago"
+          end
+        end
+      end
+    end
+  end
+end

app/components/auth_welcome_test.rb

@@ -0,0 +1,13 @@
+class Components::AuthWelcomeTest < Components::Base
+  def initialize(service_name: nil, return_to: nil)
+    @service_name = service_name
+    @return_to = return_to
+  end
+
+  def view_template
+    div(class: "auth-container") do
+      h1 { "Test: #{@service_name}" }
+      p { "Return to: #{@return_to}" }
+    end
+  end
+end