From c2e44e553032ca7af72174dcf7e3d4539bb32aba Mon Sep 17 00:00:00 2001
From: vokamut <vokamut@gmail.com>
Date: Mon, 24 Jul 2023 11:01:06 +0300
Subject: [PATCH 1/2] Do not change group after authorization, Russian locale

---
 app/models/oic_session.rb                     | 14 +++++++-----
 .../_redmine_openid_connect_settings.html.erb |  5 +++++
 config/locales/en.yml                         |  2 ++
 config/locales/ru.yml                         | 22 +++++++++++++++++++
 .../account_controller_patch.rb               | 12 ++++++----
 5 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100644 config/locales/ru.yml

diff --git a/app/models/oic_session.rb b/app/models/oic_session.rb
index dba5071..3e7b51f 100644
--- a/app/models/oic_session.rb
+++ b/app/models/oic_session.rb
@@ -72,6 +72,10 @@ def self.get_token(query)
     )
   end
 
+  def self.dont_change_group?
+    client_config['dont_change_group']
+  end
+
   def get_access_token!
     response = self.class.get_token(access_token_query)
     if response["error"].blank?
@@ -136,7 +140,7 @@ def check_keycloak_role(role)
     if user["resource_access"].present? && user["resource_access"][client_config['client_id']].present?
       kc_is_in_role = user["resource_access"][client_config['client_id']]["roles"].include?(role)
     end
-    return true if kc_is_in_role 
+    return true if kc_is_in_role
   end
 
   def authorized?
@@ -152,7 +156,7 @@ def authorized?
 
     if client_config['group'].present?
        return true if user["member_of"].present? && user["member_of"].include?(client_config['group'])
-       return true if user["roles"].present? && user["roles"].include?(client_config['group']) || user["roles"].include?(client_config['admin_group']) 
+       return true if user["roles"].present? && user["roles"].include?(client_config['group']) || user["roles"].include?(client_config['admin_group'])
     end
 
     return false
@@ -163,13 +167,13 @@ def admin?
       if user["member_of"].present?
         return true if user["member_of"].include?(client_config['admin_group'])
       end
-      if user["roles"].present? 
+      if user["roles"].present?
         return true if user["roles"].include?(client_config['admin_group'])
       end
       # keycloak way...
       return true if check_keycloak_role client_config['admin_group']
     end
-    
+
     return false
   end
 
@@ -235,7 +239,7 @@ def end_session_query
       'session_state' => session_state,
       'post_logout_redirect_uri' => "#{host_name}/oic/local_logout",
     }
-    if id_token.present? 
+    if id_token.present?
       query['id_token_hint'] = id_token
     end
    return query
diff --git a/app/views/settings/_redmine_openid_connect_settings.html.erb b/app/views/settings/_redmine_openid_connect_settings.html.erb
index de205ea..e8056b6 100644
--- a/app/views/settings/_redmine_openid_connect_settings.html.erb
+++ b/app/views/settings/_redmine_openid_connect_settings.html.erb
@@ -25,6 +25,11 @@
   <%= text_field_tag 'settings[scopes]', @settings['scopes'], :size => '60' %>
 </p>
 
+<p>
+  <label><%= t('config.dont_change_group') %></label>
+  <%= check_box_tag 'settings[dont_change_group]', true, @settings['dont_change_group'] %>
+</p>
+
 <p>
   <label><%= t('config.group') %></label>
   <%= text_field_tag 'settings[group]', @settings['group'] %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 0aa1a7a..46039b0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -8,6 +8,8 @@ en:
     openid_connect_server_url: OpenID Connect server url
     scopes: OpenID Connect scopes (comma-separated)
     client_secret: Client Secret
+    disable_ssl_validation: Disable SSL validation
+    dont_change_group: Do not change group
     group: Authorized group (blank if all users are authorized)
     admin_group: Admins group (members of this group are treated as admin)
     dynamic_config_expiry: How often to retrieve openid configuration (default 1 day)
diff --git a/config/locales/ru.yml b/config/locales/ru.yml
new file mode 100644
index 0000000..a7acf6b
--- /dev/null
+++ b/config/locales/ru.yml
@@ -0,0 +1,22 @@
+# Russian strings go here for Rails i18n
+en:
+  config:
+    enabled: Включен
+    login_selector: Показывать форму авторизации
+    header: Настройка OpenID Connect
+    client_id: ID клиента
+    openid_connect_server_url: URL сервера OpenID Connect
+    scopes: OpenID Connect scopes (через запятую)
+    client_secret: Client Secret
+    disable_ssl_validation: Выключить валидацию SSL
+    dont_change_group: Не менять группу после авторизации
+    group: Авторизованная группу (оставьте пустым, если все пользователи авторизованы)
+    admin_group: Административная группу (пользователи этой группы будут назначены администраторами)
+    dynamic_config_expiry: Как часто получать конфигурацию openid (по умолчанию 1 день)
+    create_user_if_not_exists: Создать пользователя, если он не существует
+    disallowed_auth_sources_login: Пользователи из следующих источников аутентификации должны будут войти в систему с помощью SSO.
+  oic_logout_success: 'Вы вышли из системы. <a href="%{value}">Войти снова</a>.'
+  oic_cannot_create_user: "Не удалось создать пользователя %{value}: "
+  oic_try_another_account: "<a href='%{value}'>Попробуйте войти с другой учетной записью</a>"
+  oic_cannot_login_user: "Пользователю %{value} не удалось войти: пожалуйста, войдите, используя опцию SSO"
+  button_login_sso: Войти с помощью SSO
diff --git a/lib/redmine_openid_connect/account_controller_patch.rb b/lib/redmine_openid_connect/account_controller_patch.rb
index 94ec852..dc4fb60 100644
--- a/lib/redmine_openid_connect/account_controller_patch.rb
+++ b/lib/redmine_openid_connect/account_controller_patch.rb
@@ -22,7 +22,7 @@ def logout
     rescue ActiveRecord::RecordNotFound => e
       redirect_to oic_local_logout_url
     end
-    
+
     # performs redirect to SSO server
     def oic_login
       if session[:oic_session_id].blank?
@@ -93,7 +93,7 @@ def oic_local_login
         if user.nil?
           if !OicSession.create_user_if_not_exists?
             flash.now[:warning] ||= l(:oic_cannot_create_user, value: user_info["email"])
-            
+
             logger.warn "Could not create user #{user_info["email"]}, the system is not allowed to create new users through openid"
             flash.now[:warning] += "The system is not allowed to create new users through openid"
 
@@ -126,7 +126,9 @@ def oic_local_login
           user.assign_attributes attributes
 
           if user.save
-            user.update_attribute(:admin, oic_session.admin?)
+            if !OicSession.dont_change_group?
+              user.update_attribute(:admin, oic_session.admin?)
+            end
             oic_session.user_id = user.id
             oic_session.save!
             # after user creation just show "My Page" don't redirect to remember
@@ -140,7 +142,9 @@ def oic_local_login
             return invalid_credentials
           end
         else
-          user.update_attribute(:admin, oic_session.admin?)
+          if !OicSession.dont_change_group?
+            user.update_attribute(:admin, oic_session.admin?)
+          end
           oic_session.user_id = user.id
           oic_session.save!
           # redirect back to initial URL

From 7b6d5966b4c4658b91ca2d298f01a59301e5a62b Mon Sep 17 00:00:00 2001
From: Grigory Tumakov <4266448+vokamut@users.noreply.github.com>
Date: Thu, 14 Mar 2024 12:44:54 +0300
Subject: [PATCH 2/2] Update ru.yml

---
 config/locales/ru.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/locales/ru.yml b/config/locales/ru.yml
index a7acf6b..16aa5d4 100644
--- a/config/locales/ru.yml
+++ b/config/locales/ru.yml
@@ -1,5 +1,5 @@
 # Russian strings go here for Rails i18n
-en:
+ru:
   config:
     enabled: Включен
     login_selector: Показывать форму авторизации