projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
16171: Test non-Google OIDC login with fake issuer.
[arvados.git] / lib / controller / localdb / login.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package localdb
6
7 import (
8         "context"
9         "errors"
10         "net/http"
11         "net/url"
12
13         "git.arvados.org/arvados.git/lib/controller/rpc"
14         "git.arvados.org/arvados.git/sdk/go/arvados"
15         "git.arvados.org/arvados.git/sdk/go/auth"
16         "git.arvados.org/arvados.git/sdk/go/httpserver"
17 )
18
19 type loginController interface {
20         Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
21         Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
22         UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
23 }
24
25 func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
26         wantGoogle := cluster.Login.Google.Enable
27         wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
28         wantSSO := cluster.Login.SSO.Enable
29         wantPAM := cluster.Login.PAM.Enable
30         wantLDAP := cluster.Login.LDAP.Enable
31         switch {
32         case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
33                 return &oidcLoginController{
34                         Cluster:            cluster,
35                         RailsProxy:         railsProxy,
36                         Issuer:             "https://accounts.google.com",
37                         ClientID:           cluster.Login.Google.ClientID,
38                         ClientSecret:       cluster.Login.Google.ClientSecret,
39                         UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
40                 }
41         case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
42                 issuer := cluster.Login.OpenIDConnect.Issuer
43                 if issuer.Path == "/" {
44                         // The OIDC library returns an error if the
45                         // config says "https://example/" and the
46                         // issuer identifies itself as
47                         // "https://example", even though those URLs
48                         // are equivalent
49                         // (https://tools.ietf.org/html/rfc3986#section-6.2.3).
50                         //
51                         // Our config loader adds "/" to URLs with
52                         // empty path, so we strip it off here and
53                         // count on the issuer to do the same when
54                         // identifying itself, as Google does.
55                         //
56                         // (Non-empty paths as in
57                         // "https://example/foo/" are preserved by the
58                         // config loader so the config just has to
59                         // match the issuer's response.)
60                         issuer.Path = ""
61                 }
62                 return &oidcLoginController{
63                         Cluster:      cluster,
64                         RailsProxy:   railsProxy,
65                         Issuer:       issuer.String(),
66                         ClientID:     cluster.Login.OpenIDConnect.ClientID,
67                         ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
68                 }
69         case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP:
70                 return &ssoLoginController{railsProxy}
71         case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP:
72                 return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
73         case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP:
74                 return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
75         default:
76                 return errorLoginController{
77                         error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, and Login.LDAP must be enabled"),
78                 }
79         }
80 }
81
82 // Login and Logout are passed through to the wrapped railsProxy;
83 // UserAuthenticate is rejected.
84 type ssoLoginController struct{ *railsProxy }
85
86 func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
87         return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
88 }
89
90 type errorLoginController struct{ error }
91
92 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
93         return arvados.LoginResponse{}, ctrl.error
94 }
95 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
96         return arvados.LogoutResponse{}, ctrl.error
97 }
98 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
99         return arvados.APIClientAuthorization{}, ctrl.error
100 }
101
102 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
103         target := opts.ReturnTo
104         if target == "" {
105                 if cluster.Services.Workbench2.ExternalURL.Host != "" {
106                         target = cluster.Services.Workbench2.ExternalURL.String()
107                 } else {
108                         target = cluster.Services.Workbench1.ExternalURL.String()
109                 }
110         }
111         return arvados.LogoutResponse{RedirectLocation: target}, nil
112 }
113
114 func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (arvados.APIClientAuthorization, error) {
115         ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
116         resp, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
117                 // Send a fake ReturnTo value instead of the caller's
118                 // opts.ReturnTo. We won't follow the resulting
119                 // redirect target anyway.
120                 ReturnTo: ",https://none.invalid",
121                 AuthInfo: authinfo,
122         })
123         if err != nil {
124                 return arvados.APIClientAuthorization{}, err
125         }
126         target, err := url.Parse(resp.RedirectLocation)
127         if err != nil {
128                 return arvados.APIClientAuthorization{}, err
129         }
130         token := target.Query().Get("api_token")
131         return conn.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{})
132 }