X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a25c9cb6721e61afe433a238b2e2c580adf97f31..b20e9017fae4dc9876f4ffee56add1c58f3e3f21:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index cdcb720c79..5de85bc98b 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,3 +1,7 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + class UserSessionsController < ApplicationController before_filter :require_auth_scope, :only => [ :destroy ] @@ -15,12 +19,16 @@ class UserSessionsController < ApplicationController unless identity_url_ok # Whoa. This should never happen. logger.error "UserSessionsController.create: omniauth object missing/invalid" - logger.error "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" + logger.error "omniauth: "+omniauth.pretty_inspect return redirect_to login_failure_url end - user = User.find_by_identity_url(omniauth['info']['identity_url']) + # Only local users can create sessions, hence uuid_like_pattern + # here. + user = User.where('identity_url = ? and uuid like ?', + omniauth['info']['identity_url'], + User.uuid_like_pattern).first if not user # Check for permission to log in to an existing User record with # a different identity_url @@ -45,6 +53,9 @@ class UserSessionsController < ApplicationController :identity_url => omniauth['info']['identity_url'], :is_active => Rails.configuration.new_users_are_active, :owner_uuid => system_user_uuid) + if omniauth['info']['username'] + user.set_initial_username(requested: omniauth['info']['username']) + end act_as_system_user do user.save or raise Exception.new(user.errors.messages) end @@ -93,13 +104,15 @@ class UserSessionsController < ApplicationController flash[:notice] = 'You have logged off' return_to = params[:return_to] || root_url - redirect_to "#{CUSTOM_PROVIDER_URL}/users/sign_out?redirect_uri=#{CGI.escape return_to}" + redirect_to "#{Rails.configuration.sso_provider_url}/users/sign_out?redirect_uri=#{CGI.escape return_to}" end # login - Just bounce to /auth/joshid. The only purpose of this function is # to save the return_to parameter (if it exists; see the application # controller). /auth/joshid bypasses the application controller. def login + auth_provider = if params[:auth_provider] then "auth_provider=#{CGI.escape(params[:auth_provider])}" else "" end + if current_user and params[:return_to] # Already logged in; just need to send a token to the requesting # API client. @@ -109,9 +122,9 @@ class UserSessionsController < ApplicationController send_api_token_to(params[:return_to], current_user) elsif params[:return_to] - redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}" + redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&#{auth_provider}" else - redirect_to "/auth/joshid" + redirect_to "/auth/joshid?#{auth_provider}" end end @@ -122,7 +135,8 @@ class UserSessionsController < ApplicationController # Stub: automatically register all new API clients api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/' act_as_system_user do - @api_client = ApiClient.find_or_create_by_url_prefix api_client_url_prefix + @api_client = ApiClient. + find_or_create_by(url_prefix: api_client_url_prefix) end api_client_auth = ApiClientAuthorization. @@ -140,4 +154,8 @@ class UserSessionsController < ApplicationController callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end + + def cross_origin_forbidden + send_error 'Forbidden', status: 403 + end end