Merge branch 'dev' for release 6.3.14

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## Next release
 
+## v6.3.14 2024 February 26
+
+- improvement: add idp_slo_service_url(logout requests url) to saml provider
+- Fix a bug: event canceled places error
+- Updated puma to 6.4.2
+- Updated carrierwave to 3.0.4
+- Updated sidekiq-unique-jobs to 7.1.33
+- [TODO DEPLOY] `rails fablab:setup:build_places_cache`
+
 ## v6.3.13 2024 February 19
 
 - Fix a bug: missing payment transfer journal code in accouting line

Gemfile

@@ -7,7 +7,7 @@ gem 'rails', '~> 7.0'
 # Used by rails 5.2 to reduce the app boot time by over 50%
 gem 'bootsnap'
 # Use Puma as web server
-gem 'puma', '6.1.0'
+gem 'puma', '6.4.2'
 gem 'shakapacker', '6.6.0'
 
 # rails 6 compatibility with ruby 3 (may not be required after upgrade to rails 7)

Gemfile.lock

@@ -72,7 +72,7 @@ GEM
       tzinfo (~> 2.0)
     acts_as_list (1.0.4)
       activerecord (>= 4.2)
-    addressable (2.8.1)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     aes_key_wrap (1.1.0)
     afm (0.2.2)
@@ -102,13 +102,12 @@ GEM
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
     camertron-eprun (1.1.1)
-    carrierwave (2.1.1)
-      activemodel (>= 5.0.0)
-      activesupport (>= 5.0.0)
+    carrierwave (3.0.5)
+      activemodel (>= 6.0.0)
+      activesupport (>= 6.0.0)
       addressable (~> 2.6)
       image_processing (~> 1.1)
-      mimemagic (>= 0.3.0)
-      mini_mime (>= 0.1.3)
+      marcel (~> 1.0.0)
       ssrf_filter (~> 1.0)
     caxlsx (3.0.4)
       htmlentities (~> 4.3, >= 4.3.4)
@@ -177,7 +176,7 @@ GEM
       i18n (>= 1.6, < 2)
     faraday (0.17.3)
       multipart-post (>= 1.2, < 3)
-    ffi (1.15.5)
+    ffi (1.16.3)
     foreman (0.87.0)
     forgery (0.7.0)
     friendly_id (5.1.0)
@@ -195,7 +194,7 @@ GEM
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     icalendar (2.7.1)
       ice_cube (~> 0.16)
@@ -249,9 +248,9 @@ GEM
     mimemagic (0.4.3)
       nokogiri (~> 1)
       rake
-    mini_magick (4.10.1)
-    mini_mime (1.1.2)
-    minitest (5.18.0)
+    mini_magick (4.12.0)
+    mini_mime (1.1.5)
+    minitest (5.22.2)
     minitest-reporters (1.4.2)
       ansi
       builder
@@ -270,10 +269,10 @@ GEM
       timeout
     net-smtp (0.3.3)
       net-protocol
-    nio4r (2.5.8)
-    nokogiri (1.14.3-x86_64-darwin)
+    nio4r (2.7.0)
+    nokogiri (1.16.2-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.14.3-x86_64-linux)
+    nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
     oauth2 (1.4.4)
       faraday (>= 0.8, < 2.0)
@@ -338,13 +337,13 @@ GEM
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
-    puma (6.1.0)
+    public_suffix (5.0.4)
+    puma (6.4.2)
       nio4r (~> 2.0)
     pundit (2.1.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
-    racc (1.6.2)
+    racc (1.7.3)
     rack (2.2.8.1)
     rack-oauth2 (1.21.3)
       activesupport
@@ -386,7 +385,7 @@ GEM
       thor (~> 1.0)
       zeitwerk (~> 2.5)
     rainbow (3.0.0)
-    rake (13.0.6)
+    rake (13.1.0)
     rb-fsevent (0.10.3)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -428,7 +427,7 @@ GEM
     ruby-saml (1.16.0)
       nokogiri (>= 1.13.10)
       rexml
-    ruby-vips (2.1.4)
+    ruby-vips (2.2.1)
       ffi (~> 1.12)
     rubyXL (3.4.25)
       nokogiri (>= 1.10.8)
@@ -477,7 +476,7 @@ GEM
     spring-watcher-listen (2.1.0)
       listen (>= 2.7, < 4.0)
       spring (>= 4)
-    ssrf_filter (1.0.7)
+    ssrf_filter (1.1.2)
     stripe (5.29.0)
     swd (1.3.0)
       activesupport (>= 3)
@@ -596,7 +595,7 @@ DEPENDENCIES
   prawn
   prawn-table
   pry
-  puma (= 6.1.0)
+  puma (= 6.4.2)
   pundit
   railroady
   rails (~> 7.0)

app/controllers/api/auth_providers_controller.rb

@@ -108,7 +108,7 @@ class API::AuthProvidersController < API::APIController
     elsif params['auth_provider']['providable_type'] == SamlProvider.name
       params.require(:auth_provider)
             .permit(:id, :name, :providable_type,
-                    providable_attributes: [:id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert],
+                    providable_attributes: [:id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url],
                     auth_provider_mappings_attributes: [:id, :local_model, :local_field, :api_field, :api_endpoint, :api_data_type,
                                                         :_destroy, { transformation: [:type, :format, :true_value, :false_value,
                                                                                       { mapping: %i[from to] }] }])

app/frontend/src/javascript/components/authentication-provider/saml-form.tsx

@@ -58,6 +58,13 @@ export const SamlForm = <TFieldValues extends FieldValues>({ register, strategyN
                  tooltip={t('app.admin.authentication.saml_form.profile_edition_url_help')}
                  rules={{ required: true, pattern: ValidationLib.urlRegex }}
                  formState={formState} />
+      <FormInput id="providable_attributes.idp_slo_service_url"
+                 register={register}
+                 placeholder="https://sso.exemple.net..."
+                 label={t('app.admin.authentication.saml_form.idp_slo_service_url')}
+                 tooltip={t('app.admin.authentication.saml_form.idp_slo_service_url_help')}
+                 rules={{ pattern: ValidationLib.urlRegex }}
+                 formState={formState} />
     </div>
   );
 };

app/frontend/src/javascript/models/authentication-provider.ts

@@ -72,6 +72,7 @@ export interface SamlProvider {
   idp_cert_fingerprint: string,
   idp_cert: string,
   profile_url: string,
+  idp_slo_service_url: string,
 }
 
 export interface MappingFields {

app/models/slots_reservation.rb

@@ -66,10 +66,13 @@ class SlotsReservation < ApplicationRecord
   # @param target_slot [Slot]
   def update_places_cache(operation, target_slot = slot)
     if reservation.reservable_type == 'Event'
+      total_booked_seats = reservation.nb_reserve_places
+      total_booked_seats += reservation.tickets.map(&:booked).map(&:to_i).reduce(:+) if reservation.tickets.count.positive?
+      total_booked_seats = 0 if reservation.reservable.pre_registration
       Slots::PlacesCacheService.change_places(target_slot,
                                               reservation.reservable_type,
                                               reservation.reservable_id,
-                                              reservation.reservable.pre_registration ? 0 : reservation.total_booked_seats,
+                                              total_booked_seats,
                                               operation)
     else
       Slots::PlacesCacheService.change_places(target_slot, reservation.reservable_type, reservation.reservable_id, 1, operation)

app/views/api/auth_providers/show.json.jbuilder

@@ -22,6 +22,6 @@ end
 
 if @provider.providable_type == SamlProvider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert
+    json.extract! @provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
   end
 end

app/views/auth_provider/provider.json.jbuilder

@@ -23,6 +23,6 @@ end
 
 if provider.providable_type == 'SamlProvider'
   json.providable_attributes do
-    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert
+    json.extract! provider.providable, :id, :sp_entity_id, :idp_sso_service_url, :profile_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_service_url
   end
 end

config/initializers/devise.rb

@@ -250,6 +250,7 @@ Devise.setup do |config|
       config.omniauth active_provider.strategy_name.to_sym,
                       sp_entity_id: active_provider.providable.sp_entity_id,
                       idp_sso_service_url: active_provider.providable.idp_sso_service_url,
+                      idp_slo_service_url: active_provider.providable.idp_slo_service_url,
                       idp_cert: active_provider.providable.idp_cert,
                       idp_cert_fingerprint: active_provider.providable.idp_cert_fingerprint,
                       strategy_class: OmniAuth::Strategies::SsoSamlProvider

config/locales/app.admin.de.yml

@@ -1569,6 +1569,8 @@ de:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Name"
           authentication_type: "Authentifizierungsart"

config/locales/app.admin.en.yml

@@ -1569,6 +1569,8 @@ en:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"

config/locales/app.admin.es-MX.yml

@@ -1569,6 +1569,8 @@ es-MX:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"

config/locales/app.admin.es.yml

@@ -1569,6 +1569,8 @@ es:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Nombre"
           authentication_type: "Tipo de autenticación"

config/locales/app.admin.fr.yml

@@ -1569,6 +1569,8 @@ fr:
           idp_cert: "Certificat de fournisseur d'identité"
           profile_edition_url: "URL d'édition du profil"
           profile_edition_url_help: "L'URL de la page où l'utilisateur peut modifier son profil."
+          idp_slo_service_url: "URL de demande de déconnexion"
+          idp_slo_service_url_help: "L'URL à laquelle la requête d'authentification doit être envoyée. Cela serait sur le fournisseur d'identité."
         provider_form:
           name: "Nom"
           authentication_type: "Type d'authentification"

config/locales/app.admin.it.yml

@@ -1569,6 +1569,8 @@ it:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Nome"
           authentication_type: "Tipo di autenticazione"

config/locales/app.admin.no.yml

@@ -1569,6 +1569,8 @@
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Name"
           authentication_type: "Authentication type"

config/locales/app.admin.pt.yml

@@ -1569,6 +1569,8 @@ pt:
           idp_cert: "Identity provider certificate"
           profile_edition_url: "Profil edition URL"
           profile_edition_url_help: "The URL of the page where the user can edit his profile."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Nome"
           authentication_type: "Tipo de autenticação"

config/locales/app.admin.sv.yml

@@ -1569,6 +1569,8 @@ sv:
           idp_cert: "Identitetsleverantörens certifikat"
           profile_edition_url: "URL för Profilutgåva"
           profile_edition_url_help: "URL till sidan där användaren kan redigera sin profil."
+          idp_slo_service_url: "Single logout request URL"
+          idp_slo_service_url_help: "The URL to which the single logout request and response should be sent. This would be on the identity provider."
         provider_form:
           name: "Namn"
           authentication_type: "Autentiseringstyp"

config/locales/app.admin.zu.yml

@@ -1569,6 +1569,8 @@ zu:
           idp_cert: "crwdns38158:0crwdne38158:0"
           profile_edition_url: "crwdns38160:0crwdne38160:0"
           profile_edition_url_help: "crwdns38162:0crwdne38162:0"
+          idp_slo_service_url: "crwdns38176:0crwdne38176:0"
+          idp_slo_service_url_help: "crwdns38178:0crwdne38178:0"
         provider_form:
           name: "crwdns26204:0crwdne26204:0"
           authentication_type: "crwdns26206:0crwdne26206:0"

db/migrate/20240220140225_add_idp_slo_service_url_to_saml_providers.rb

@@ -0,0 +1,5 @@
+class AddIdpSloServiceUrlToSamlProviders < ActiveRecord::Migration[7.0]
+  def change
+    add_column :saml_providers, :idp_slo_service_url, :string
+  end
+end

db/structure.sql

@@ -3278,7 +3278,8 @@ CREATE TABLE public.saml_providers (
     updated_at timestamp(6) without time zone NOT NULL,
     profile_url character varying,
     idp_cert character varying,
-    idp_cert_fingerprint character varying
+    idp_cert_fingerprint character varying,
+    idp_slo_service_url character varying
 );
 
 
@@ -9324,6 +9325,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20231108094433'),
 ('20240116163703'),
 ('20240126145351'),
-('20240126192110');
+('20240126192110'),
+('20240220140225');
 
 

doc/sso_saml.md

@@ -0,0 +1,79 @@
+# Single-Sign-On authentication using SAML
+This document provides instructions on how to configure SAML (Security Assertion Markup Language) in FabManager. SAML enables secure single sign-on (SSO) authentication between a service provider (SP), such as FabManager, and an identity provider (IdP), which could be your organization's authentication system.
+
+## Configuration Steps:
+
+1. Gather Required Information:
+Before configuring SAML in FabManager, ensure you have the following information from your identity provider:
+
+* Service provider entity ID
+* Identity provider SSO service URL (required)
+* Identity provider certificate fingerprint (SHA1 format) or Identity provider certificate (PEM format)
+* Single logout request URL (option)
+
+2. Access FabManager Configuration:
+Log in to your FabManager instance with administrative privileges.
+
+3. Navigate to Users Settings -> Authentication:
+Add a new authentication provider, enter your name of new authentification
+
+4. Select SAML:
+Locate the authentication type option to enable SAML.
+
+5. Enter SAML Configuration Details:
+Now, enter the SAML configuration details obtained from your identity provider into the corresponding fields in FabManager's SAML settings. These fields typically include:
+
+SP Entity ID: Enter the Service Provider entity ID. (required)
+IdP SSO Service URL: Provide the Identity Provider SSO service URL. (required)
+IdP Certificate Fingerprint: Enter the fingerprint of the Identity Provider certificate.(SHA1 format)
+IdP Certificate: Enter the Identity Provider certificate.(PEM format)
+Profile URL: Enter the Profile edition URL.(required)
+IdP SLO Service URL: Provide the Single Logout Request URL. (option)
+
+6. Configuring User Profile Attributes Mapping in FabManager
+FabManager allows you to map user profile attributes to ensure that essential information, such as user UID, email, first name, and last name, is accurately synchronized between the identity provider (IdP) and FabManager.
+Before proceeding with mapping, ensure you understand the user profile attributes you want to synchronize. Based on your requirements, identify the following attributes:
+
+user.uid: Unique identifier for the user.
+user.email: User's email address.
+profile.first_name: User's first name.
+profile.last_name: User's last name.
+
+7. Save Configuration:
+After entering all the required information, save the SAML configuration settings.
+
+## After configuring SAML integration in FabManager, you need to follow these steps to activate SAML authentication within the application:
+
+1. Access FabManager Docker Container:
+Use the following command to enter the FabManager Docker container:
+```bash
+docker exec -it CONTAINER_NAME_APP bash
+```
+Replace `CONTAINER_NAME_APP` with the actual name of your FabManager Docker container.
+
+2. Switch to SAML Authentication:
+Once inside the Docker container, switch to SAML authentication mode using the following command:
+```bash
+rails fablab:auth:switch_provider[NAME_OF_SAML]
+```
+Replace NAME_OF_SAML with the name you assigned to your SAML provider during the configuration.
+
+3. Exit FabManager docker container and Restart the Application:
+```bash
+docker rm -f CONTAINER_NAME_APP
+docker-compose up -d
+```
+
+4. Notify Current Users to login with SAML:
+It's essential to inform current users about the authentication method change. Use the following command to notify them:
+```bash
+docker exec -it CONTAINER_NAME_APP bash
+rails fablab:auth:notify_changed
+```
+To ensure a seamless transition for existing users to the new SAML authentication method, you can send them an email containing a link that will enable them to connect their existing FabManager accounts with their SAML identities.
+This link include a token to authenticate the user and link their accounts. Upon successful connection, provide users with confirmation that their accounts have been linked to their SAML identities with authentification code.
+By following these steps, existing users can seamlessly transition to SAML authentication without needing to re-enter their profile information.
+
+## After user login via SAML
+FabManager requires certain user attributes such as username, email, first name, last name, gender, and birthday to be mandatory.
+Users provide all necessary information required by FabManager, even if certain attributes are not directly mapped through the SAML authentication process.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "fab-manager",
-  "version": "6.3.13",
+  "version": "6.3.14",
   "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.",
   "keywords": [
     "fablab",
@@ -117,7 +117,7 @@
     "angular-unsavedchanges": "0.2",
     "angular-xeditable": "0.10",
     "assert": "^2.0.0",
-    "axios": "^0.21.2",
+    "axios": "^0.28.0",
     "babel-loader": "^9.1.2",
     "babel-plugin-macros": "^3.1.0",
     "babel-plugin-transform-react-remove-prop-types": "^0.4.24",

yarn.lock

@@ -4303,12 +4303,14 @@ available-typed-arrays@^1.0.5:
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7"
   integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
 
-axios@^0.21.2:
-  version "0.21.2"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.2.tgz#21297d5084b2aeeb422f5d38e7be4fbb82239017"
-  integrity sha512-87otirqUw3e8CzHTMO+/9kh/FSgXt/eVDvipijwDtEuwbkySWZ9SBm6VEubmJ/kLKEoLQV/POhxXFb66bfekfg==
+axios@^0.28.0:
+  version "0.28.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-0.28.0.tgz#801a4d991d0404961bccef46800e1170f8278c89"
+  integrity sha512-Tu7NYoGY4Yoc7I+Npf9HhUMtEEpV7ZiLH9yndTCoNhcpBH0kwcvFbzYN9/u5QKI5A6uefjsNNWaz5olJVYS62Q==
   dependencies:
-    follow-redirects "^1.14.0"
+    follow-redirects "^1.15.0"
+    form-data "^4.0.0"
+    proxy-from-env "^1.1.0"
 
 babel-jest@^29.3.1:
   version "29.3.1"
@@ -6114,10 +6116,10 @@ flatted@^3.1.0:
   resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.2.5.tgz#76c8584f4fc843db64702a6bd04ab7a8bd666da3"
   integrity sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==
 
-follow-redirects@^1.0.0, follow-redirects@^1.14.0:
-  version "1.14.8"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.8.tgz#016996fb9a11a100566398b1c6839337d7bfa8fc"
-  integrity sha512-1x0S9UVJHsQprFcEC/qnNzBLcIxsjAV905f/UkQxbclCsoTWlacCNOpQa/anodLl2uaEKFhfWOvM2Qg77+15zA==
+follow-redirects@^1.0.0, follow-redirects@^1.15.0:
+  version "1.15.5"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.5.tgz#54d4d6d062c0fa7d9d17feb008461550e3ba8020"
+  integrity sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw==
 
 for-each@^0.3.3:
   version "0.3.3"
@@ -8891,6 +8893,11 @@ proxy-addr@~2.0.7:
     forwarded "0.2.0"
     ipaddr.js "1.9.1"
 
+proxy-from-env@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
+  integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
+
 psl@^1.1.33:
   version "1.9.0"
   resolved "https://registry.yarnpkg.com/psl/-/psl-1.9.0.tgz#d0df2a137f00794565fcaf3b2c00cd09f8d5a5a7"