Implementing SSO #230
Implementing SSO #230
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| user.unlock_access! | ||
| else | ||
| password = [*'0'..'9', *'a'..'z', *'A'..'Z', *'!'..'?'].sample(16).join | ||
| user = User.create!(email:, password:, password_confirmation: password) |
Check failure
Code scanning / CodeQL
Clear-text storage of sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the issue, we need to ensure that the password is hashed before being stored in the database. Rails provides built-in support for securely hashing passwords using the has_secure_password method in the User model, which relies on bcrypt. This method automatically hashes the password when it is assigned to the password attribute.
The fix involves:
- Ensuring the
Usermodel useshas_secure_password(this is assumed to be already implemented sincepasswordandpassword_confirmationare used). - Modifying the
consumemethod to assign the plain-text password to thepasswordattribute, allowing Rails to handle the hashing automatically.
| @@ -24,3 +24,3 @@ | ||
| password = SecureRandom.hex(16) | ||
| user = User.create!(email:, password:, password_confirmation: password) | ||
| user = User.create!(email:, password:) | ||
| user.is_user = true |
| user.unlock_access! | ||
| else | ||
| password = [*'0'..'9', *'a'..'z', *'A'..'Z', *'!'..'?'].sample(16).join | ||
| user = User.create!(email:, password:, password_confirmation: password) |
Check failure
Code scanning / CodeQL
Clear-text storage of sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the issue, the password should be hashed before being stored in the database. In Rails, this is typically handled by the has_secure_password method provided by the bcrypt gem. This method automatically hashes passwords when they are assigned to the password attribute of a model. The User model should already be configured to use has_secure_password for this fix to work. If it is not, additional changes to the User model will be required.
The fix involves replacing the direct assignment of the password and password_confirmation attributes with a single assignment to the password attribute. This ensures that the password is hashed before being stored.
| @@ -24,3 +24,3 @@ | ||
| password = SecureRandom.hex(16) | ||
| user = User.create!(email:, password:, password_confirmation: password) | ||
| user = User.create!(email:, password:) | ||
| user.is_user = true |
|
kevin-atnos
assigned
brunto,
kevin-atnos,
syl-p and
LaboCNIL and unassigned
brunto,
kevin-atnos and
syl-p
There was a problem hiding this comment.
Pull Request Overview
This PR implements Single Sign-On (SSO) functionality by adding new SAML routes and controllers, updating session management with Redis, and configuring SAML settings in Devise.
- Added SAML routes in routes.rb
- Introduced a new SamlController that handles SSO, ACS, and SLO flows
- Updated session store and extended Devise initializer with commented SAML config for future adjustments
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| config/routes.rb | Added SAML endpoints for metadata, SSO, ACS, logout, and SLO handling |
| config/initializers/session_store.rb | Configured Redis as the session store with updated parameters |
| config/initializers/devise.rb | Enabled email authentication and provided commented sample SAML settings |
| config/application.rb | Minor changes with stylistic quote updates and added secret_key_base |
| app/policies/pia_policy.rb | Switched to eager loading of associated records for performance improvements |
| app/models/user.rb | Updated login uniqueness validation using Ruby shorthand, but with issues |
| app/controllers/saml_controller.rb | Introduced new controller handling SSO requests and SAML attribute population |
| app/controllers/pias_controller.rb | Adjusted association loading for performance |
| app/controllers/application_controller.rb | Extended info API to include SSO enabled flag |
| Gemfile | Added new dependencies for ruby-saml, devise_saml_authenticatable, and Redis |
| attributes_allowed = ENV['SANITIZED_ALLOWED_ATTRIBUTES'] ? ENV['SANITIZED_ALLOWED_ATTRIBUTES'].split(' ') : [] | ||
| config.action_view.sanitized_allowed_attributes = attributes_allowed | ||
|
|
||
| config.secret_key_base = Rails.application.credentials.secret_key_base |
There was a problem hiding this comment.
@kevin-atnos The changes in application.rb is useless because Ruby on Rails already try to load from ENV and then from credentials the secret_key_base.
There was a problem hiding this comment.
@brunto I think it's better to let the choice to the sys administrator how to deploy it.
# Conflicts: # Gemfile.lock # config/environments/development.rb
This pull request introduces significant updates to the application, focusing on adding SAML-based single sign-on (SSO) support, improving database query performance, and enhancing configuration and session management. Below is a summary of the most important changes grouped by theme.
SAML-Based Single Sign-On (SSO) Integration:
SamlControllerto handle SAML metadata, SSO, logout, and SLO responses, enabling SAML-based authentication workflows (app/controllers/saml_controller.rb).config/routes.rb.deviseinitializer with commented-out SAML configuration options to support SAML-based user authentication (config/initializers/devise.rb).Performance Improvements:
PiaandPiaPolicyqueries to useeager_loadfor preloading associateduser_pias, reducing N+1 query issues (app/controllers/pias_controller.rb,app/policies/pia_policy.rb) [1] [2].Session and Configuration Enhancements:
config/initializers/session_store.rb).config.secret_key_basetoconfig/application.rbfor secure application configuration (config/application.rb).Dependency Updates:
ruby-samlanddevise_saml_authenticatablefor SAML authentication, andrediswithredis-actionpackfor Redis-based session storage (Gemfile).Minor Code and Syntax Improvements:
app/models/user.rb,config/application.rb) [1] [2].