Make PAM gem optional, allow configuration over environment (#6415)

diff --git a/.env.production.sample b/.env.production.sample
index 777336de1d1141e6be5d8834e3b4e730f99c1757..a4b689a31ff1af4b1631f63363dbbd14eedc1fc9 100644 (file)
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -136,6 +136,15 @@ STREAMING_CLUSTER_NUM=1
 # UID=1000
 # GID=1000
 
+# PAM authentication (optional)
+# PAM_ENABLED=true
+# Suffix for email address generation (nil by default)
+# PAM_DEFAULT_SUFFIX=pam
+# Name of the pam service (pam "auth" section is evaluated)
+# PAM_DEFAULT_SERVICE=rpam
+# Name of the pam service used for checking if an user can register (pam "account" section is evaluated)
+# PAM_CONTROLLED_SERVICE=rpam
+
 # Optional CAS authentication (cf. omniauth-cas) :
 # CAS_ENABLED=true
 # CAS_URL=https://sso.myserver.com/

diff --git a/Gemfile b/Gemfile
index 5b6ae707dbc2b0115945cd227401f3efd1100b2b..3b39f394621440689cefa71d8924219b680abf9c 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -31,7 +31,7 @@ gem 'cld3', '~> 3.2.0'
 gem 'devise', '~> 4.4'
 gem 'devise-two-factor', '~> 3.0'
 
-gem 'devise_pam_authenticatable2', '~> 8.0'
+gem 'devise_pam_authenticatable2', '~> 8.0', install_if: -> { ENV['PAM_ENABLED'] == 'true' }
 gem 'omniauth-cas', '~> 1.1', install_if: -> { ENV['CAS_ENABLED'] == 'true' }
 gem 'omniauth-saml', '~> 1.8', install_if: -> { ENV['SAML_ENABLED'] == 'true' }
 gem 'omniauth', '~> 1.2'

diff --git a/app/models/user.rb b/app/models/user.rb
index fba4784538e8f9f3f57d2dd91537b714ef6fa2f9..feaf8b26c7ee6cca06e120dd25741bb8a0e0103e 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -52,7 +52,7 @@ class User < ApplicationRecord
   devise :registerable, :recoverable, :rememberable, :trackable, :validatable,
          :confirmable
 
-  devise :pam_authenticatable
+  devise :pam_authenticatable if Devise.pam_authentication
   devise :omniauthable
 
   belongs_to :account, inverse_of: :user

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index f2f7f1ba338051b0101f50bf24a192774765f0b2..ba7ad9e6c81c8e44335aaf0363eb6d704f8e966c 100644 (file)
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -315,22 +315,13 @@ Devise.setup do |config|
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
 
-  # PAM: only look for email field
-  config.usernamefield = nil
-  config.emailfield = "email"
-
-  # authentication with pam possible
-  # if not enabled, all pam settings are ignored
-  #config.pam_authentication = true
-  # check if email is actually a username
-  config.check_at_sign = true
-  # suffix for email address generation (warning: without pam must provide email in the pam environment)
-  config.pam_default_suffix = "pam"
-  # name of the pam service
-  # pam "auth" section is evaluated
-  config.pam_default_service = "rpam"
-  # name of the pam service used for checking if an user can register
-  # pam "account" section is evaluated
-  # nil for allowing registration of pam names (not recommended)
-  config.pam_controlled_service = "rpam"
+  if ENV['PAM_ENABLED'] == 'true'
+    config.pam_authentication     = true
+    config.usernamefield          = nil
+    config.emailfield             = 'email'
+    config.check_at_sign          = true
+    config.pam_default_suffix     = ENV.fetch('PAM_DEFAULT_SUFFIX') { nil }
+    config.pam_default_service    = ENV.fetch('PAM_DEFAULT_SERVICE') { 'rpam' }
+    config.pam_controlled_service = ENV.fetch('PAM_CONTROLLED_SERVICE') { 'rpam' }
+  end
 end