X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/43c411ec1441ee1710dc33389d7451f7414a170f..34173202861e94dee58ccd5b189983918813d870:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 537c1aa411..3e79915f3c 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,45 +1,70 @@ class UserSessionsController < ApplicationController - before_filter :login_required, :only => [ :destroy ] + before_filter :require_auth_scope, :only => [ :destroy ] - skip_before_filter :uncamelcase_params_hash_keys skip_before_filter :find_object_by_uuid + skip_before_filter :render_404_if_no_object respond_to :html # omniauth callback method def create omniauth = env['omniauth.auth'] - #logger.debug "+++ #{omniauth}" identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false unless identity_url_ok # Whoa. This should never happen. + logger.error "UserSessionsController.create: omniauth object missing/invalid" + logger.error "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - @title = "UserSessionsController.create: omniauth object missing/invalid" - @body = "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - - view_context.fatal_error(@title,@body) - return redirect_to openid_login_error_url + return redirect_to login_failure_url end user = User.find_by_identity_url(omniauth['info']['identity_url']) + if not user + # Check for permission to log in to an existing User record with + # a different identity_url + Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?", + 'permission', + 'can_login', + omniauth['info']['email'], + User.uuid_like_pattern).each do |link| + if prefix = link.properties['identity_url_prefix'] + if prefix == omniauth['info']['identity_url'][0..prefix.size-1] + user = User.find_by_uuid(link.head_uuid) + break if user + end + end + end + end if not user # New user registration user = User.new(:email => omniauth['info']['email'], :first_name => omniauth['info']['first_name'], :last_name => omniauth['info']['last_name'], - :identity_url => omniauth['info']['identity_url']) + :identity_url => omniauth['info']['identity_url'], + :is_active => Rails.configuration.new_users_are_active, + :owner_uuid => system_user_uuid) + act_as_system_user do + user.save or raise Exception.new(user.errors.messages) + end else user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] user.last_name = omniauth['info']['last_name'] + if user.identity_url.nil? + # First login to a pre-activated account + user.identity_url = omniauth['info']['identity_url'] + end end + # For the benefit of functional and integration tests: + @user = user + # prevent ArvadosModel#before_create and _update from throwing # "unauthorized": Thread.current[:user] = user - user.save! + user.save or raise Exception.new(user.errors.messages) omniauth.delete('extra') @@ -95,20 +120,23 @@ class UserSessionsController < ApplicationController # Stub: automatically register all new API clients api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/' - api_client = ApiClient.find_or_create_by_url_prefix(api_client_url_prefix) + act_as_system_user do + @api_client = ApiClient.find_or_create_by_url_prefix api_client_url_prefix + end api_client_auth = ApiClientAuthorization. new(user: user, - api_client: api_client, - created_by_ip_address: remote_ip) + api_client: @api_client, + created_by_ip_address: remote_ip, + scopes: ["all"]) api_client_auth.save! if callback_url.index('?') - callback_url << '&' + callback_url += '&' else - callback_url << '?' + callback_url += '?' end - callback_url << 'api_token=' << api_client_auth.api_token + callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end end