Merge branch '16736-max-token-lifetime'

[arvados.git] / services / api / app / controllers / user_sessions_controller.rb

diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 4364229b77284e9dbaab975c626ec9e5e52c3e33..8e9a26b7a88f3207c4ab1cb76f2aba990d6cce9c 100644 (file)
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -17,13 +17,35 @@ class UserSessionsController < ApplicationController
       raise "Local login disabled when LoginCluster is set"
     end
 
-    omniauth = request.env['omniauth.auth']
+    max_expires_at = nil
+    if params[:provider] == 'controller'
+      if request.headers['Authorization'] != 'Bearer ' + Rails.configuration.SystemRootToken
+        return send_error('Invalid authorization header', status: 401)
+      end
+      # arvados-controller verified the user and is passing auth_info
+      # in request params.
+      authinfo = SafeJSON.load(params[:auth_info])
+      max_expires_at = authinfo["expires_at"]
+    else
+      # omniauth middleware verified the user and is passing auth_info
+      # in request.env.
+      authinfo = request.env['omniauth.auth']['info'].with_indifferent_access
+    end
 
-    begin
-      user = User.register omniauth['info']
-    rescue => e
-      Rails.logger.warn e
-      return redirect_to login_failure_url
+    if !authinfo['user_uuid'].blank?
+      user = User.find_by_uuid(authinfo['user_uuid'])
+      if !user
+        Rails.logger.warn "Nonexistent user_uuid in authinfo #{authinfo.inspect}"
+        return redirect_to login_failure_url
+      end
+    else
+      begin
+        user = User.register(authinfo)
+      rescue => e
+        Rails.logger.warn "User.register error #{e}"
+        Rails.logger.warn "authinfo was #{authinfo.inspect}"
+        return redirect_to login_failure_url
+      end
     end
 
     # For the benefit of functional and integration tests:
@@ -45,8 +67,6 @@ class UserSessionsController < ApplicationController
 
     user.save or raise Exception.new(user.errors.messages)
 
-    omniauth.delete('extra')
-
     # Give the authenticated user a cookie for direct API access
     session[:user_id] = user.id
     session[:api_client_uuid] = nil
@@ -62,7 +82,7 @@ class UserSessionsController < ApplicationController
         return send_error 'Invalid remote cluster id', status: 400
       end
       remote = nil if remote == ''
-      return send_api_token_to(return_to_url, user, remote)
+      return send_api_token_to(return_to_url, user, remote, max_expires_at)
     end
     redirect_to @redirect_to
   end
@@ -79,7 +99,7 @@ class UserSessionsController < ApplicationController
 
     flash[:notice] = 'You have logged off'
     return_to = params[:return_to] || root_url
-    redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}/users/sign_out?redirect_uri=#{CGI.escape return_to}"
+    redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}users/sign_out?redirect_uri=#{CGI.escape return_to}"
   end
 
   # login - Just bounce to /auth/joshid. The only purpose of this function is
@@ -126,7 +146,7 @@ class UserSessionsController < ApplicationController
     end
   end
 
-  def send_api_token_to(callback_url, user, remote=nil)
+  def send_api_token_to(callback_url, user, remote=nil, token_expiration=nil)
     # Give the API client a token for making API calls on behalf of
     # the authenticated user
 
@@ -136,11 +156,19 @@ class UserSessionsController < ApplicationController
       @api_client = ApiClient.
         find_or_create_by(url_prefix: api_client_url_prefix)
     end
+    if Rails.configuration.Login.TokenLifetime > 0
+      if token_expiration == nil
+        token_expiration = db_current_time + Rails.configuration.Login.TokenLifetime
+      else
+        token_expiration = [token_expiration, db_current_time + Rails.configuration.Login.TokenLifetime].min
+      end
+    end
 
     @api_client_auth = ApiClientAuthorization.
       new(user: user,
           api_client: @api_client,
           created_by_ip_address: remote_ip,
+          expires_at: token_expiration,
           scopes: ["all"])
     @api_client_auth.save!