X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c7c08265ddec9f990c9dce9befa21d555983e43e..f68ba06c5e85b748f13f723373e1fbe79fa8e563:/lib/controller/localdb/login.go diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index 01fa84ea4f..a1ac2c55b0 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -10,6 +10,7 @@ import ( "encoding/json" "errors" "fmt" + "net" "net/http" "net/url" "strings" @@ -30,15 +31,14 @@ type loginController interface { func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController { wantGoogle := cluster.Login.Google.Enable wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable - wantSSO := cluster.Login.SSO.Enable wantPAM := cluster.Login.PAM.Enable wantLDAP := cluster.Login.LDAP.Enable wantTest := cluster.Login.Test.Enable wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID switch { - case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster): + case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster): return errorLoginController{ - error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), } case wantGoogle: return &oidcLoginController{ @@ -54,18 +54,18 @@ func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginControll } case wantOpenIDConnect: return &oidcLoginController{ - Cluster: cluster, - Parent: parent, - Issuer: cluster.Login.OpenIDConnect.Issuer, - ClientID: cluster.Login.OpenIDConnect.ClientID, - ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, - AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters, - EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, - EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, - UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + Cluster: cluster, + Parent: parent, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken, + AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope, } - case wantSSO: - return &ssoLoginController{Parent: parent} case wantPAM: return &pamLoginController{Cluster: cluster, Parent: parent} case wantLDAP: @@ -91,20 +91,6 @@ func countTrue(vals ...bool) int { return n } -// Login and Logout are passed through to the parent's railsProxy; -// UserAuthenticate is rejected. -type ssoLoginController struct{ Parent *Conn } - -func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) { - return ctrl.Parent.railsProxy.Login(ctx, opts) -} -func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - return ctrl.Parent.railsProxy.Logout(ctx, opts) -} -func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { - return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) -} - type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { @@ -162,13 +148,13 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st tokensecret = tokenparts[2] } } - var exp sql.NullString + var exp sql.NullTime var scopes []byte err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) if err != nil { return } - resp.ExpiresAt = exp.String + resp.ExpiresAt = exp.Time if len(scopes) > 0 { err = json.Unmarshal(scopes, &resp.Scopes) if err != nil { @@ -177,3 +163,39 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st } return } + +func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error { + u, err := url.Parse(returnTo) + if err != nil { + return err + } + u, err = u.Parse("/") + if err != nil { + return err + } + if u.Port() == "80" && u.Scheme == "http" { + u.Host = u.Hostname() + } else if u.Port() == "443" && u.Scheme == "https" { + u.Host = u.Hostname() + } + if _, ok := cluster.Login.TrustedClients[arvados.URL(*u)]; ok { + return nil + } + if u.String() == cluster.Services.Workbench1.ExternalURL.String() || + u.String() == cluster.Services.Workbench2.ExternalURL.String() { + return nil + } + if cluster.Login.TrustPrivateNetworks { + if u.Hostname() == "localhost" { + return nil + } + if ip := net.ParseIP(u.Hostname()); len(ip) > 0 { + for _, n := range privateNetworks { + if n.Contains(ip) { + return nil + } + } + } + } + return fmt.Errorf("requesting site is not listed in TrustedClients config") +}