1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 class UserSessionsController < ApplicationController
6 before_action :require_auth_scope, :only => [ :destroy ]
8 skip_before_action :set_cors_headers
9 skip_before_action :find_object_by_uuid
10 skip_before_action :render_404_if_no_object
14 # omniauth callback method
16 omniauth = request.env['omniauth.auth']
19 user = User.register omniauth['info']
22 return redirect_to login_failure_url
25 # For the benefit of functional and integration tests:
28 if user.uuid[0..4] != Rails.configuration.ClusterID
29 # Actually a remote user
30 # Send them to their home cluster's login
31 rh = Rails.configuration.RemoteClusters[user.uuid[0..4]]
32 remote, return_to_url = params[:return_to].split(',', 2)
33 @remotehomeurl = "#{rh.Scheme || "https"}://#{rh.Host}/login?remote=#{Rails.configuration.ClusterID}&return_to=#{return_to_url}"
38 # prevent ArvadosModel#before_create and _update from throwing
40 Thread.current[:user] = user
42 user.save or raise Exception.new(user.errors.messages)
44 omniauth.delete('extra')
46 # Give the authenticated user a cookie for direct API access
47 session[:user_id] = user.id
48 session[:api_client_uuid] = nil
49 session[:api_client_trusted] = true # full permission to see user's secrets
51 @redirect_to = root_path
52 if params.has_key?(:return_to)
53 # return_to param's format is 'remote,return_to_url'. This comes from login()
54 # encoding the remote=zbbbb parameter passed by a client asking for a salted
56 remote, return_to_url = params[:return_to].split(',', 2)
57 if remote !~ /^[0-9a-z]{5}$/ && remote != ""
58 return send_error 'Invalid remote cluster id', status: 400
60 remote = nil if remote == ''
61 return send_api_token_to(return_to_url, user, remote)
63 redirect_to @redirect_to
66 # Omniauth failure callback
68 flash[:notice] = params[:message]
71 # logout - Clear our rack session BUT essentially redirect to the provider
72 # to clean up the Devise session from there too !
74 session[:user_id] = nil
76 flash[:notice] = 'You have logged off'
77 return_to = params[:return_to] || root_url
78 redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}/users/sign_out?redirect_uri=#{CGI.escape return_to}"
81 # login - Just bounce to /auth/joshid. The only purpose of this function is
82 # to save the return_to parameter (if it exists; see the application
83 # controller). /auth/joshid bypasses the application controller.
85 if params[:remote] !~ /^[0-9a-z]{5}$/ && !params[:remote].nil?
86 return send_error 'Invalid remote cluster id', status: 400
88 if current_user and params[:return_to]
89 # Already logged in; just need to send a token to the requesting
92 # FIXME: if current_user has never authorized this app before,
93 # ask for confirmation here!
95 return send_api_token_to(params[:return_to], current_user, params[:remote])
98 p << "auth_provider=#{CGI.escape(params[:auth_provider])}" if params[:auth_provider]
100 # Encode remote param inside callback's return_to, so that we'll get it on
101 # create() after login.
102 remote_param = params[:remote].nil? ? '' : params[:remote]
103 p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
105 redirect_to "/auth/joshid?#{p.join('&')}"
108 def send_api_token_to(callback_url, user, remote=nil)
109 # Give the API client a token for making API calls on behalf of
110 # the authenticated user
112 # Stub: automatically register all new API clients
113 api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/'
114 act_as_system_user do
115 @api_client = ApiClient.
116 find_or_create_by(url_prefix: api_client_url_prefix)
119 @api_client_auth = ApiClientAuthorization.
121 api_client: @api_client,
122 created_by_ip_address: remote_ip,
124 @api_client_auth.save!
126 if callback_url.index('?')
132 token = @api_client_auth.token
134 token = @api_client_auth.salted_token(remote: remote)
136 callback_url += 'api_token=' + token
137 redirect_to callback_url
140 def cross_origin_forbidden
141 send_error 'Forbidden', status: 403