1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
13 "git.arvados.org/arvados.git/lib/controller/rpc"
14 "git.arvados.org/arvados.git/sdk/go/arvados"
15 "git.arvados.org/arvados.git/sdk/go/auth"
16 "git.arvados.org/arvados.git/sdk/go/httpserver"
19 type loginController interface {
20 Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
21 Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
22 UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
25 func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
26 wantGoogle := cluster.Login.Google.Enable
27 wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
28 wantSSO := cluster.Login.SSO.Enable
29 wantPAM := cluster.Login.PAM.Enable
30 wantLDAP := cluster.Login.LDAP.Enable
32 case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
33 return &oidcLoginController{
35 RailsProxy: railsProxy,
36 Issuer: "https://accounts.google.com",
37 ClientID: cluster.Login.Google.ClientID,
38 ClientSecret: cluster.Login.Google.ClientSecret,
39 UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
41 case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
42 issuer := cluster.Login.OpenIDConnect.Issuer
43 if issuer.Path == "/" {
44 // The OIDC library returns an error if the
45 // config says "https://example/" and the
46 // issuer identifies itself as
47 // "https://example", even though those URLs
49 // (https://tools.ietf.org/html/rfc3986#section-6.2.3).
51 // Our config loader adds "/" to URLs with
52 // empty path, so we strip it off here and
53 // count on the issuer to do the same when
54 // identifying itself, as Google does.
56 // (Non-empty paths as in
57 // "https://example/foo/" are preserved by the
58 // config loader so the config just has to
59 // match the issuer's response.)
62 return &oidcLoginController{
64 RailsProxy: railsProxy,
65 Issuer: issuer.String(),
66 ClientID: cluster.Login.OpenIDConnect.ClientID,
67 ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
69 case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP:
70 return &ssoLoginController{railsProxy}
71 case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP:
72 return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
73 case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP:
74 return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
76 return errorLoginController{
77 error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, and Login.LDAP must be enabled"),
82 // Login and Logout are passed through to the wrapped railsProxy;
83 // UserAuthenticate is rejected.
84 type ssoLoginController struct{ *railsProxy }
86 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
87 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
90 type errorLoginController struct{ error }
92 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
93 return arvados.LoginResponse{}, ctrl.error
95 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
96 return arvados.LogoutResponse{}, ctrl.error
98 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
99 return arvados.APIClientAuthorization{}, ctrl.error
102 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
103 target := opts.ReturnTo
105 if cluster.Services.Workbench2.ExternalURL.Host != "" {
106 target = cluster.Services.Workbench2.ExternalURL.String()
108 target = cluster.Services.Workbench1.ExternalURL.String()
111 return arvados.LogoutResponse{RedirectLocation: target}, nil
114 func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (arvados.APIClientAuthorization, error) {
115 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
116 resp, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
117 // Send a fake ReturnTo value instead of the caller's
118 // opts.ReturnTo. We won't follow the resulting
119 // redirect target anyway.
120 ReturnTo: ",https://none.invalid",
124 return arvados.APIClientAuthorization{}, err
126 target, err := url.Parse(resp.RedirectLocation)
128 return arvados.APIClientAuthorization{}, err
130 token := target.Query().Get("api_token")
131 return conn.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{})