1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
13 "git.arvados.org/arvados.git/lib/controller/rpc"
14 "git.arvados.org/arvados.git/sdk/go/arvados"
15 "git.arvados.org/arvados.git/sdk/go/auth"
16 "git.arvados.org/arvados.git/sdk/go/httpserver"
19 type loginController interface {
20 Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
21 Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
22 UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
25 func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
26 wantGoogle := cluster.Login.GoogleClientID != ""
27 wantSSO := cluster.Login.ProviderAppID != ""
28 wantPAM := cluster.Login.PAM
29 wantLDAP := cluster.Login.LDAP.Enable
31 case wantGoogle && !wantSSO && !wantPAM && !wantLDAP:
32 return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy}
33 case !wantGoogle && wantSSO && !wantPAM && !wantLDAP:
34 return &ssoLoginController{railsProxy}
35 case !wantGoogle && !wantSSO && wantPAM && !wantLDAP:
36 return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
37 case !wantGoogle && !wantSSO && !wantPAM && wantLDAP:
38 return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
40 return errorLoginController{
41 error: errors.New("configuration problem: exactly one of Login.GoogleClientID, Login.ProviderAppID, Login.PAM, or Login.LDAP.Enable must be configured"),
46 // Login and Logout are passed through to the wrapped railsProxy;
47 // UserAuthenticate is rejected.
48 type ssoLoginController struct{ *railsProxy }
50 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
51 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
54 type errorLoginController struct{ error }
56 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
57 return arvados.LoginResponse{}, ctrl.error
59 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
60 return arvados.LogoutResponse{}, ctrl.error
62 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
63 return arvados.APIClientAuthorization{}, ctrl.error
66 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
67 target := opts.ReturnTo
69 if cluster.Services.Workbench2.ExternalURL.Host != "" {
70 target = cluster.Services.Workbench2.ExternalURL.String()
72 target = cluster.Services.Workbench1.ExternalURL.String()
75 return arvados.LogoutResponse{RedirectLocation: target}, nil
78 func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (arvados.APIClientAuthorization, error) {
79 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
80 resp, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
81 // Send a fake ReturnTo value instead of the caller's
82 // opts.ReturnTo. We won't follow the resulting
83 // redirect target anyway.
84 ReturnTo: ",https://none.invalid",
88 return arvados.APIClientAuthorization{}, err
90 target, err := url.Parse(resp.RedirectLocation)
92 return arvados.APIClientAuthorization{}, err
94 token := target.Query().Get("api_token")
95 return conn.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{})