1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
17 "git.arvados.org/arvados.git/lib/controller/rpc"
18 "git.arvados.org/arvados.git/lib/ctrlctx"
19 "git.arvados.org/arvados.git/sdk/go/arvados"
20 "git.arvados.org/arvados.git/sdk/go/auth"
21 "git.arvados.org/arvados.git/sdk/go/httpserver"
24 type loginController interface {
25 Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
26 Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
27 UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
30 func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
31 wantGoogle := cluster.Login.Google.Enable
32 wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
33 wantSSO := cluster.Login.SSO.Enable
34 wantPAM := cluster.Login.PAM.Enable
35 wantLDAP := cluster.Login.LDAP.Enable
36 wantTest := cluster.Login.Test.Enable
37 wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
39 case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
40 return errorLoginController{
41 error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
44 return &oidcLoginController{
47 Issuer: "https://accounts.google.com",
48 ClientID: cluster.Login.Google.ClientID,
49 ClientSecret: cluster.Login.Google.ClientSecret,
50 UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
52 EmailVerifiedClaim: "email_verified",
54 case wantOpenIDConnect:
55 return &oidcLoginController{
58 Issuer: cluster.Login.OpenIDConnect.Issuer,
59 ClientID: cluster.Login.OpenIDConnect.ClientID,
60 ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
61 EmailClaim: cluster.Login.OpenIDConnect.EmailClaim,
62 EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
63 UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim,
66 return &ssoLoginController{Parent: parent}
68 return &pamLoginController{Cluster: cluster, Parent: parent}
70 return &ldapLoginController{Cluster: cluster, Parent: parent}
72 return &testLoginController{Cluster: cluster, Parent: parent}
73 case wantLoginCluster:
74 return &federatedLoginController{Cluster: cluster}
76 return errorLoginController{
77 error: errors.New("BUG: missing case in login controller setup switch"),
82 func countTrue(vals ...bool) int {
84 for _, val := range vals {
92 // Login and Logout are passed through to the parent's railsProxy;
93 // UserAuthenticate is rejected.
94 type ssoLoginController struct{ Parent *Conn }
96 func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
97 return ctrl.Parent.railsProxy.Login(ctx, opts)
99 func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
100 return ctrl.Parent.railsProxy.Logout(ctx, opts)
102 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
103 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
106 type errorLoginController struct{ error }
108 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
109 return arvados.LoginResponse{}, ctrl.error
111 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
112 return arvados.LogoutResponse{}, ctrl.error
114 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
115 return arvados.APIClientAuthorization{}, ctrl.error
118 type federatedLoginController struct {
119 Cluster *arvados.Cluster
122 func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
123 return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest)
125 func (ctrl federatedLoginController) Logout(_ context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
126 return noopLogout(ctrl.Cluster, opts)
128 func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
129 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
132 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
133 target := opts.ReturnTo
135 if cluster.Services.Workbench2.ExternalURL.Host != "" {
136 target = cluster.Services.Workbench2.ExternalURL.String()
138 target = cluster.Services.Workbench1.ExternalURL.String()
141 return arvados.LogoutResponse{RedirectLocation: target}, nil
144 func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
146 return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken")
148 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
149 newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
150 // Send a fake ReturnTo value instead of the caller's
151 // opts.ReturnTo. We won't follow the resulting
152 // redirect target anyway.
153 ReturnTo: ",https://controller.api.client.invalid",
159 target, err := url.Parse(newsession.RedirectLocation)
163 token := target.Query().Get("api_token")
164 tx, err := ctrlctx.CurrentTx(ctx)
169 if strings.Contains(token, "/") {
170 tokenparts := strings.Split(token, "/")
171 if len(tokenparts) >= 3 {
172 tokensecret = tokenparts[2]
175 var exp sql.NullString
177 err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
181 resp.ExpiresAt = exp.String
183 err = json.Unmarshal(scopes, &resp.Scopes)
185 return resp, fmt.Errorf("unmarshal scopes: %s", err)