X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5022c4068227e4d354389169a9abd726206aff7d..38104975556f7a0a59c1a21a97aa37cd0e178d69:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 0a03399d1f..8e9a26b7a8 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -17,6 +17,7 @@ class UserSessionsController < ApplicationController raise "Local login disabled when LoginCluster is set" end + max_expires_at = nil if params[:provider] == 'controller' if request.headers['Authorization'] != 'Bearer ' + Rails.configuration.SystemRootToken return send_error('Invalid authorization header', status: 401) @@ -24,17 +25,27 @@ class UserSessionsController < ApplicationController # arvados-controller verified the user and is passing auth_info # in request params. authinfo = SafeJSON.load(params[:auth_info]) + max_expires_at = authinfo["expires_at"] else # omniauth middleware verified the user and is passing auth_info # in request.env. authinfo = request.env['omniauth.auth']['info'].with_indifferent_access end - begin - user = User.register(authinfo) - rescue => e - Rails.logger.warn e - return redirect_to login_failure_url + if !authinfo['user_uuid'].blank? + user = User.find_by_uuid(authinfo['user_uuid']) + if !user + Rails.logger.warn "Nonexistent user_uuid in authinfo #{authinfo.inspect}" + return redirect_to login_failure_url + end + else + begin + user = User.register(authinfo) + rescue => e + Rails.logger.warn "User.register error #{e}" + Rails.logger.warn "authinfo was #{authinfo.inspect}" + return redirect_to login_failure_url + end end # For the benefit of functional and integration tests: @@ -71,7 +82,7 @@ class UserSessionsController < ApplicationController return send_error 'Invalid remote cluster id', status: 400 end remote = nil if remote == '' - return send_api_token_to(return_to_url, user, remote) + return send_api_token_to(return_to_url, user, remote, max_expires_at) end redirect_to @redirect_to end @@ -88,7 +99,7 @@ class UserSessionsController < ApplicationController flash[:notice] = 'You have logged off' return_to = params[:return_to] || root_url - redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}/users/sign_out?redirect_uri=#{CGI.escape return_to}" + redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}users/sign_out?redirect_uri=#{CGI.escape return_to}" end # login - Just bounce to /auth/joshid. The only purpose of this function is @@ -135,7 +146,7 @@ class UserSessionsController < ApplicationController end end - def send_api_token_to(callback_url, user, remote=nil) + def send_api_token_to(callback_url, user, remote=nil, token_expiration=nil) # Give the API client a token for making API calls on behalf of # the authenticated user @@ -145,11 +156,19 @@ class UserSessionsController < ApplicationController @api_client = ApiClient. find_or_create_by(url_prefix: api_client_url_prefix) end + if Rails.configuration.Login.TokenLifetime > 0 + if token_expiration == nil + token_expiration = db_current_time + Rails.configuration.Login.TokenLifetime + else + token_expiration = [token_expiration, db_current_time + Rails.configuration.Login.TokenLifetime].min + end + end @api_client_auth = ApiClientAuthorization. new(user: user, api_client: @api_client, created_by_ip_address: remote_ip, + expires_at: token_expiration, scopes: ["all"]) @api_client_auth.save!