X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cabf89d1fd8b40a2624d101a95c6587bfdd91fed..0ce66018616c5177bc9268280119d6f08f339d4d:/lib/controller/localdb/login.go diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index f4632751e3..3c7b01baad 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -27,49 +27,50 @@ type loginController interface { UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) } -func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController { +func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController { wantGoogle := cluster.Login.Google.Enable wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable - wantSSO := cluster.Login.SSO.Enable wantPAM := cluster.Login.PAM.Enable wantLDAP := cluster.Login.LDAP.Enable wantTest := cluster.Login.Test.Enable wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID switch { - case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster): + case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster): return errorLoginController{ - error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), } case wantGoogle: return &oidcLoginController{ Cluster: cluster, - RailsProxy: railsProxy, + Parent: parent, Issuer: "https://accounts.google.com", ClientID: cluster.Login.Google.ClientID, ClientSecret: cluster.Login.Google.ClientSecret, + AuthParams: cluster.Login.Google.AuthenticationRequestParameters, UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, EmailClaim: "email", EmailVerifiedClaim: "email_verified", } case wantOpenIDConnect: return &oidcLoginController{ - Cluster: cluster, - RailsProxy: railsProxy, - Issuer: cluster.Login.OpenIDConnect.Issuer, - ClientID: cluster.Login.OpenIDConnect.ClientID, - ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, - EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, - EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, - UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + Cluster: cluster, + Parent: parent, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken, + AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope, } - case wantSSO: - return &ssoLoginController{railsProxy} case wantPAM: - return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy} + return &pamLoginController{Cluster: cluster, Parent: parent} case wantLDAP: - return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy} + return &ldapLoginController{Cluster: cluster, Parent: parent} case wantTest: - return &testLoginController{Cluster: cluster, RailsProxy: railsProxy} + return &testLoginController{Cluster: cluster, Parent: parent} case wantLoginCluster: return &federatedLoginController{Cluster: cluster} default: @@ -89,14 +90,6 @@ func countTrue(vals ...bool) int { return n } -// Login and Logout are passed through to the wrapped railsProxy; -// UserAuthenticate is rejected. -type ssoLoginController struct{ *railsProxy } - -func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { - return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) -} - type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { @@ -116,28 +109,19 @@ type federatedLoginController struct { func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest) } -func (ctrl federatedLoginController) Logout(_ context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - return noopLogout(ctrl.Cluster, opts) +func (ctrl federatedLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { + return logout(ctx, ctrl.Cluster, opts) } func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) } -func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - target := opts.ReturnTo - if target == "" { - if cluster.Services.Workbench2.ExternalURL.Host != "" { - target = cluster.Services.Workbench2.ExternalURL.String() - } else { - target = cluster.Services.Workbench1.ExternalURL.String() - } +func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { + if rootToken == "" { + return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken") } - return arvados.LogoutResponse{RedirectLocation: target}, nil -} - -func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) - newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ + newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ // Send a fake ReturnTo value instead of the caller's // opts.ReturnTo. We won't follow the resulting // redirect target anyway.