X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c0e2292b4ed0065448e11fe3ecd7b0ee8c87ff4b..4ac438924f1e365cf5231140c9640c004ad4f1ff:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 961ab4e8bb..0b80877bc2 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,28 +1,41 @@ class UserSessionsController < ApplicationController - before_filter :login_required, :only => [ :destroy ] + before_filter :require_auth_scope, :only => [ :destroy ] - skip_before_filter :uncamelcase_params_hash_keys skip_before_filter :find_object_by_uuid + skip_before_filter :render_404_if_no_object respond_to :html # omniauth callback method def create omniauth = env['omniauth.auth'] - #logger.debug "+++ #{omniauth}" identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false unless identity_url_ok # Whoa. This should never happen. + logger.error "UserSessionsController.create: omniauth object missing/invalid" + logger.error "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - @title = "UserSessionsController.create: omniauth object missing/invalid" - @body = "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - - view_context.fatal_error(@title,@body) - return redirect_to openid_login_error_url + return redirect_to login_failure_url end user = User.find_by_identity_url(omniauth['info']['identity_url']) + if not user + # Check for permission to log in to an existing User record with + # a different identity_url + Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?", + 'permission', + 'can_login', + omniauth['info']['email'], + User.uuid_like_pattern).each do |link| + if prefix = link.properties['identity_url_prefix'] + if prefix == omniauth['info']['identity_url'][0..prefix.size-1] + user = User.find_by_uuid(link.head_uuid) + break if user + end + end + end + end if not user # New user registration user = User.new(:email => omniauth['info']['email'], @@ -34,13 +47,17 @@ class UserSessionsController < ApplicationController user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] user.last_name = omniauth['info']['last_name'] + if user.identity_url.nil? + # First login to a pre-activated account + user.identity_url = omniauth['info']['identity_url'] + end end # prevent ArvadosModel#before_create and _update from throwing # "unauthorized": Thread.current[:user] = user - user.save! + user.save or raise Exception.new(user.errors.messages) omniauth.delete('extra') @@ -96,20 +113,23 @@ class UserSessionsController < ApplicationController # Stub: automatically register all new API clients api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/' - api_client = ApiClient.find_or_create_by_url_prefix(api_client_url_prefix) + act_as_system_user do + @api_client = ApiClient.find_or_create_by_url_prefix api_client_url_prefix + end api_client_auth = ApiClientAuthorization. new(user: user, - api_client: api_client, - created_by_ip_address: remote_ip) + api_client: @api_client, + created_by_ip_address: remote_ip, + scopes: ["all"]) api_client_auth.save! if callback_url.index('?') - callback_url << '&' + callback_url += '&' else - callback_url << '?' + callback_url += '?' end - callback_url << 'api_token=' << api_client_auth.api_token + callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end end