lib/controller/localdb/login.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "context"
   9         "database/sql"
  10         "encoding/json"
  11         "errors"
  12         "fmt"
  13         "net/http"
  14         "net/url"
  15         "strings"
  16
  17         "git.arvados.org/arvados.git/lib/controller/rpc"
  18         "git.arvados.org/arvados.git/sdk/go/arvados"
  19         "git.arvados.org/arvados.git/sdk/go/auth"
  20         "git.arvados.org/arvados.git/sdk/go/httpserver"
  21 )
  22
  23 type loginController interface {
  24         Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
  25         Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
  26         UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
  27 }
  28
  29 func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
  30         wantGoogle := cluster.Login.Google.Enable
  31         wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
  32         wantSSO := cluster.Login.SSO.Enable
  33         wantPAM := cluster.Login.PAM.Enable
  34         wantLDAP := cluster.Login.LDAP.Enable
  35         switch {
  36         case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
  37                 return &oidcLoginController{
  38                         Cluster:            cluster,
  39                         RailsProxy:         railsProxy,
  40                         Issuer:             "https://accounts.google.com",
  41                         ClientID:           cluster.Login.Google.ClientID,
  42                         ClientSecret:       cluster.Login.Google.ClientSecret,
  43                         UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
  44                         EmailClaim:         "email",
  45                         EmailVerifiedClaim: "email_verified",
  46                 }
  47         case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
  48                 return &oidcLoginController{
  49                         Cluster:            cluster,
  50                         RailsProxy:         railsProxy,
  51                         Issuer:             cluster.Login.OpenIDConnect.Issuer,
  52                         ClientID:           cluster.Login.OpenIDConnect.ClientID,
  53                         ClientSecret:       cluster.Login.OpenIDConnect.ClientSecret,
  54                         EmailClaim:         cluster.Login.OpenIDConnect.EmailClaim,
  55                         EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
  56                         UsernameClaim:      cluster.Login.OpenIDConnect.UsernameClaim,
  57                 }
  58         case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP:
  59                 return &ssoLoginController{railsProxy}
  60         case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP:
  61                 return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
  62         case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP:
  63                 return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
  64         default:
  65                 return errorLoginController{
  66                         error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, and Login.LDAP must be enabled"),
  67                 }
  68         }
  69 }
  70
  71 // Login and Logout are passed through to the wrapped railsProxy;
  72 // UserAuthenticate is rejected.
  73 type ssoLoginController struct{ *railsProxy }
  74
  75 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
  76         return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
  77 }
  78
  79 type errorLoginController struct{ error }
  80
  81 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
  82         return arvados.LoginResponse{}, ctrl.error
  83 }
  84 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
  85         return arvados.LogoutResponse{}, ctrl.error
  86 }
  87 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
  88         return arvados.APIClientAuthorization{}, ctrl.error
  89 }
  90
  91 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
  92         target := opts.ReturnTo
  93         if target == "" {
  94                 if cluster.Services.Workbench2.ExternalURL.Host != "" {
  95                         target = cluster.Services.Workbench2.ExternalURL.String()
  96                 } else {
  97                         target = cluster.Services.Workbench1.ExternalURL.String()
  98                 }
  99         }
 100         return arvados.LogoutResponse{RedirectLocation: target}, nil
 101 }
 102
 103 func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
 104         ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
 105         newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
 106                 // Send a fake ReturnTo value instead of the caller's
 107                 // opts.ReturnTo. We won't follow the resulting
 108                 // redirect target anyway.
 109                 ReturnTo: ",https://none.invalid",
 110                 AuthInfo: authinfo,
 111         })
 112         if err != nil {
 113                 return
 114         }
 115         target, err := url.Parse(newsession.RedirectLocation)
 116         if err != nil {
 117                 return
 118         }
 119         token := target.Query().Get("api_token")
 120         tx, err := currenttx(ctx)
 121         if err != nil {
 122                 return
 123         }
 124         tokensecret := token
 125         if strings.Contains(token, "/") {
 126                 tokenparts := strings.Split(token, "/")
 127                 if len(tokenparts) >= 3 {
 128                         tokensecret = tokenparts[2]
 129                 }
 130         }
 131         var exp sql.NullString
 132         var scopes []byte
 133         err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
 134         if err != nil {
 135                 return
 136         }
 137         resp.ExpiresAt = exp.String
 138         if len(scopes) > 0 {
 139                 err = json.Unmarshal(scopes, &resp.Scopes)
 140                 if err != nil {
 141                         return resp, fmt.Errorf("unmarshal scopes: %s", err)
 142                 }
 143         }
 144         return
 145 }