X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/14baeb15c9a703a7c7b5c36b2ddcbf44c35c4c7a..33606c82797185fa65751f5724304f02605e0e05:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 3ac47d46cf..256a67bcbb 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,14 +1,15 @@ class UserSessionsController < ApplicationController - before_filter :require_auth_scope_all, :only => [ :destroy ] + before_filter :require_auth_scope, :only => [ :destroy ] + skip_before_filter :set_cors_headers skip_before_filter :find_object_by_uuid + skip_before_filter :render_404_if_no_object respond_to :html # omniauth callback method def create omniauth = env['omniauth.auth'] - #logger.debug "+++ #{omniauth}" identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false unless identity_url_ok @@ -23,12 +24,12 @@ class UserSessionsController < ApplicationController if not user # Check for permission to log in to an existing User record with # a different identity_url - Link.where(link_class: 'permission', - name: 'can_login', - tail_kind: 'email', - tail_uuid: omniauth['info']['email'], - head_kind: 'arvados#user').each do |link| - if prefix = link.properties[:identity_url_prefix] + Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?", + 'permission', + 'can_login', + omniauth['info']['email'], + User.uuid_like_pattern).each do |link| + if prefix = link.properties['identity_url_prefix'] if prefix == omniauth['info']['identity_url'][0..prefix.size-1] user = User.find_by_uuid(link.head_uuid) break if user @@ -42,7 +43,11 @@ class UserSessionsController < ApplicationController :first_name => omniauth['info']['first_name'], :last_name => omniauth['info']['last_name'], :identity_url => omniauth['info']['identity_url'], - :is_active => Rails.configuration.new_users_are_active) + :is_active => Rails.configuration.new_users_are_active, + :owner_uuid => system_user_uuid) + act_as_system_user do + user.save or raise Exception.new(user.errors.messages) + end else user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] @@ -53,11 +58,14 @@ class UserSessionsController < ApplicationController end end + # For the benefit of functional and integration tests: + @user = user + # prevent ArvadosModel#before_create and _update from throwing # "unauthorized": Thread.current[:user] = user - user.save! + user.save or raise Exception.new(user.errors.messages) omniauth.delete('extra') @@ -92,6 +100,8 @@ class UserSessionsController < ApplicationController # to save the return_to parameter (if it exists; see the application # controller). /auth/joshid bypasses the application controller. def login + auth_provider = if params[:auth_provider] then "auth_provider=#{CGI.escape(params[:auth_provider])}" else "" end + if current_user and params[:return_to] # Already logged in; just need to send a token to the requesting # API client. @@ -101,9 +111,9 @@ class UserSessionsController < ApplicationController send_api_token_to(params[:return_to], current_user) elsif params[:return_to] - redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}" + redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&#{auth_provider}" else - redirect_to "/auth/joshid" + redirect_to "/auth/joshid?#{auth_provider}" end end @@ -120,7 +130,8 @@ class UserSessionsController < ApplicationController api_client_auth = ApiClientAuthorization. new(user: user, api_client: @api_client, - created_by_ip_address: remote_ip) + created_by_ip_address: remote_ip, + scopes: ["all"]) api_client_auth.save! if callback_url.index('?') @@ -131,4 +142,8 @@ class UserSessionsController < ApplicationController callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end + + def cross_origin_forbidden + send_error 'Forbidden', status: 403 + end end