Module: AuthenticationAndSSOConcerns

Extended by:

ActiveSupport::Concern

Includes:

ActionController::Cookies, SignIn::Authentication

Included in:

ApplicationController

Defined in:

app/controllers/concerns/authentication_and_sso_concerns.rb

Overview

This module only gets mixed in to one place, but is that cleanest way to organize everything in one place related to this responsibility alone.

Constant Summary

Constants included from SignIn::Authentication

SignIn::Authentication::BEARER_PATTERN

Instance Method Summary

• #authenticate ⇒ Object protected
• #clear_session ⇒ Object protected

  Destroys the user’s session in Redis.

• #extend_session! ⇒ Object protected

  Extends the users session.

• #load_user(skip_terms_check: false) ⇒ Object protected
• #log_sso_info ⇒ Object protected
• #render_unauthorized ⇒ Object protected
• #reset_session ⇒ Object protected

  Destroys the users session in 1) Redis, 2) the MHV SSO Cookie, 3) and the Session Cookie.

• #set_api_cookie! ⇒ Object protected

  Sets a cookie “api_session” with all of the key/value pairs from session object.

• #set_session_expiration_header ⇒ Object protected
• #sso_logging_info ⇒ Object protected

  Info for logging purposes related to SSO.

• #validate_inbound_login_params ⇒ Object protected
• #validate_session ⇒ Object protected

Methods included from SignIn::Authentication

#authenticate_service_account

Instance Method Details

#authenticate ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 14

def authenticate
  if cookies[SignIn::Constants::Auth::ACCESS_TOKEN_COOKIE_NAME]
    super
  else
    validate_session || render_unauthorized
  end
end

#clear_session ⇒ Object (protected)

Destroys the user’s session in Redis

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 68

def clear_session
  Rails.logger.debug('SSO: ApplicationController#clear_session', sso_logging_info)

  @session_object&.destroy
  @current_user&.destroy
  @session_object = nil
  @current_user = nil
end

#extend_session! ⇒ Object (protected)

Extends the users session

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 90

def extend_session!
  @session_object.expire(Session.redis_namespace_ttl)
  @current_user&.identity&.expire(UserIdentity.redis_namespace_ttl)
  @current_user&.expire(User.redis_namespace_ttl)
end

#load_user(skip_terms_check: false) ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 56

def load_user(skip_terms_check: false)
  skip_terms_check = true if Settings.vsp_environment == 'production'

  if cookies[SignIn::Constants::Auth::ACCESS_TOKEN_COOKIE_NAME]
    super()
  else
    set_session_object
    set_current_user(skip_terms_check)
  end
end

#log_sso_info ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 108

def log_sso_info
  action = "#{self.class}##{action_name}"

  Rails.logger.info(
    "#{action} request completed", sso_logging_info
  )
end

#render_unauthorized ⇒ Object (protected)

Raises:

• (Common::Exceptions::Unauthorized)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 22

def render_unauthorized
  raise Common::Exceptions::Unauthorized
end

#reset_session ⇒ Object (protected)

Destroys the users session in 1) Redis, 2) the MHV SSO Cookie, 3) and the Session Cookie

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 78

def reset_session
  if Settings.test_user_dashboard.env == 'staging' && @current_user
    TestUserDashboard::UpdateUser.new(@current_user).call
    TestUserDashboard::AccountMetrics.new(@current_user).checkin
  end
  Rails.logger.info('SSO: ApplicationController#reset_session', sso_logging_info)

  clear_session
  super
end

#set_api_cookie! ⇒ Object (protected)

Sets a cookie “api_session” with all of the key/value pairs from session object.

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 97

def set_api_cookie!
  return unless @session_object

  session.delete :value
  @session_object.to_hash.each { |k, v| session[k] = v }
end

#set_session_expiration_header ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 104

def set_session_expiration_header
  headers['X-Session-Expiration'] = @session_object.ttl_in_time.httpdate if @session_object.present?
end

#sso_logging_info ⇒ Object (protected)

Info for logging purposes related to SSO.

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 117

def sso_logging_info
  { user_uuid: @current_user&.uuid,
    sso_cookie_contents: sso_cookie_content,
    request_host: request.host }
end

#validate_inbound_login_params ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 26

def validate_inbound_login_params
  csp_type = params[:csp_type] ||= ''
  if csp_type == SAML::User::LOGINGOV_CSID
    ial = params[:ial]
    raise Common::Exceptions::ParameterMissing, 'ial' if ial.blank?
    raise Common::Exceptions::InvalidFieldValue.new('ial', ial) if %w[1 2].exclude?(ial)

    ial == '1' ? IAL::LOGIN_GOV_IAL1 : IAL::LOGIN_GOV_IAL2
  else
    authn = params[:authn]
    raise Common::Exceptions::ParameterMissing, 'authn' if authn.blank?
    raise Common::Exceptions::InvalidFieldValue.new('authn', authn) if SAML::User::AUTHN_CONTEXTS.keys.exclude?(authn)

    authn
  end
end

#validate_session ⇒ Object (protected)

# File 'app/controllers/concerns/authentication_and_sso_concerns.rb', line 43

def validate_session
  load_user

  if @session_object.nil?
    Rails.logger.debug('SSO: INVALID SESSION', sso_logging_info)
    clear_session
    return false
  end

  extend_session!
  @current_user.present?
end