X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/14baeb15c9a703a7c7b5c36b2ddcbf44c35c4c7a..b4b8de21d5c324264b8473446e52e2f595df9039:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 3ac47d46cf..5de85bc98b 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,34 +1,43 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + class UserSessionsController < ApplicationController - before_filter :require_auth_scope_all, :only => [ :destroy ] + before_filter :require_auth_scope, :only => [ :destroy ] + skip_before_filter :set_cors_headers skip_before_filter :find_object_by_uuid + skip_before_filter :render_404_if_no_object respond_to :html # omniauth callback method def create omniauth = env['omniauth.auth'] - #logger.debug "+++ #{omniauth}" identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false unless identity_url_ok # Whoa. This should never happen. logger.error "UserSessionsController.create: omniauth object missing/invalid" - logger.error "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" + logger.error "omniauth: "+omniauth.pretty_inspect return redirect_to login_failure_url end - user = User.find_by_identity_url(omniauth['info']['identity_url']) + # Only local users can create sessions, hence uuid_like_pattern + # here. + user = User.where('identity_url = ? and uuid like ?', + omniauth['info']['identity_url'], + User.uuid_like_pattern).first if not user # Check for permission to log in to an existing User record with # a different identity_url - Link.where(link_class: 'permission', - name: 'can_login', - tail_kind: 'email', - tail_uuid: omniauth['info']['email'], - head_kind: 'arvados#user').each do |link| - if prefix = link.properties[:identity_url_prefix] + Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?", + 'permission', + 'can_login', + omniauth['info']['email'], + User.uuid_like_pattern).each do |link| + if prefix = link.properties['identity_url_prefix'] if prefix == omniauth['info']['identity_url'][0..prefix.size-1] user = User.find_by_uuid(link.head_uuid) break if user @@ -42,7 +51,14 @@ class UserSessionsController < ApplicationController :first_name => omniauth['info']['first_name'], :last_name => omniauth['info']['last_name'], :identity_url => omniauth['info']['identity_url'], - :is_active => Rails.configuration.new_users_are_active) + :is_active => Rails.configuration.new_users_are_active, + :owner_uuid => system_user_uuid) + if omniauth['info']['username'] + user.set_initial_username(requested: omniauth['info']['username']) + end + act_as_system_user do + user.save or raise Exception.new(user.errors.messages) + end else user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] @@ -53,11 +69,14 @@ class UserSessionsController < ApplicationController end end + # For the benefit of functional and integration tests: + @user = user + # prevent ArvadosModel#before_create and _update from throwing # "unauthorized": Thread.current[:user] = user - user.save! + user.save or raise Exception.new(user.errors.messages) omniauth.delete('extra') @@ -85,13 +104,15 @@ class UserSessionsController < ApplicationController flash[:notice] = 'You have logged off' return_to = params[:return_to] || root_url - redirect_to "#{CUSTOM_PROVIDER_URL}/users/sign_out?redirect_uri=#{CGI.escape return_to}" + redirect_to "#{Rails.configuration.sso_provider_url}/users/sign_out?redirect_uri=#{CGI.escape return_to}" end # login - Just bounce to /auth/joshid. The only purpose of this function is # to save the return_to parameter (if it exists; see the application # controller). /auth/joshid bypasses the application controller. def login + auth_provider = if params[:auth_provider] then "auth_provider=#{CGI.escape(params[:auth_provider])}" else "" end + if current_user and params[:return_to] # Already logged in; just need to send a token to the requesting # API client. @@ -101,9 +122,9 @@ class UserSessionsController < ApplicationController send_api_token_to(params[:return_to], current_user) elsif params[:return_to] - redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}" + redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&#{auth_provider}" else - redirect_to "/auth/joshid" + redirect_to "/auth/joshid?#{auth_provider}" end end @@ -114,13 +135,15 @@ class UserSessionsController < ApplicationController # Stub: automatically register all new API clients api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/' act_as_system_user do - @api_client = ApiClient.find_or_create_by_url_prefix api_client_url_prefix + @api_client = ApiClient. + find_or_create_by(url_prefix: api_client_url_prefix) end api_client_auth = ApiClientAuthorization. new(user: user, api_client: @api_client, - created_by_ip_address: remote_ip) + created_by_ip_address: remote_ip, + scopes: ["all"]) api_client_auth.save! if callback_url.index('?') @@ -131,4 +154,8 @@ class UserSessionsController < ApplicationController callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end + + def cross_origin_forbidden + send_error 'Forbidden', status: 403 + end end