1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
17 "git.arvados.org/arvados.git/lib/controller/rpc"
18 "git.arvados.org/arvados.git/lib/ctrlctx"
19 "git.arvados.org/arvados.git/sdk/go/arvados"
20 "git.arvados.org/arvados.git/sdk/go/auth"
21 "git.arvados.org/arvados.git/sdk/go/httpserver"
24 type loginController interface {
25 Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
26 Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
27 UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
30 func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
31 wantGoogle := cluster.Login.Google.Enable
32 wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
33 wantSSO := cluster.Login.SSO.Enable
34 wantPAM := cluster.Login.PAM.Enable
35 wantLDAP := cluster.Login.LDAP.Enable
36 wantTest := cluster.Login.Test.Enable
38 case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP && !wantTest:
39 return &oidcLoginController{
41 RailsProxy: railsProxy,
42 Issuer: "https://accounts.google.com",
43 ClientID: cluster.Login.Google.ClientID,
44 ClientSecret: cluster.Login.Google.ClientSecret,
45 UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
47 EmailVerifiedClaim: "email_verified",
49 case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP && !wantTest:
50 return &oidcLoginController{
52 RailsProxy: railsProxy,
53 Issuer: cluster.Login.OpenIDConnect.Issuer,
54 ClientID: cluster.Login.OpenIDConnect.ClientID,
55 ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
56 EmailClaim: cluster.Login.OpenIDConnect.EmailClaim,
57 EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
58 UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim,
60 case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP && !wantTest:
61 return &ssoLoginController{railsProxy}
62 case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP && !wantTest:
63 return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
64 case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP && !wantTest:
65 return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
66 case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP && wantTest:
67 return &testLoginController{Cluster: cluster, RailsProxy: railsProxy}
69 return errorLoginController{
70 error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"),
75 // Login and Logout are passed through to the wrapped railsProxy;
76 // UserAuthenticate is rejected.
77 type ssoLoginController struct{ *railsProxy }
79 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
80 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
83 type errorLoginController struct{ error }
85 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
86 return arvados.LoginResponse{}, ctrl.error
88 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
89 return arvados.LogoutResponse{}, ctrl.error
91 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
92 return arvados.APIClientAuthorization{}, ctrl.error
95 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
96 target := opts.ReturnTo
98 if cluster.Services.Workbench2.ExternalURL.Host != "" {
99 target = cluster.Services.Workbench2.ExternalURL.String()
101 target = cluster.Services.Workbench1.ExternalURL.String()
104 return arvados.LogoutResponse{RedirectLocation: target}, nil
107 func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
108 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
109 newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
110 // Send a fake ReturnTo value instead of the caller's
111 // opts.ReturnTo. We won't follow the resulting
112 // redirect target anyway.
113 ReturnTo: ",https://none.invalid",
119 target, err := url.Parse(newsession.RedirectLocation)
123 token := target.Query().Get("api_token")
124 tx, err := ctrlctx.CurrentTx(ctx)
129 if strings.Contains(token, "/") {
130 tokenparts := strings.Split(token, "/")
131 if len(tokenparts) >= 3 {
132 tokensecret = tokenparts[2]
135 var exp sql.NullString
137 err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
141 resp.ExpiresAt = exp.String
143 err = json.Unmarshal(scopes, &resp.Scopes)
145 return resp, fmt.Errorf("unmarshal scopes: %s", err)