X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cf1dcfb8715822f7ac5fe4fce067197dd84bad54..7c3e13d4876a8e37feffee3cdaebc44b20b7b61b:/services/api/app/controllers/user_sessions_controller.rb

diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 6e18cdd460..49af414310 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -13,6 +13,10 @@ class UserSessionsController < ApplicationController
 
   # omniauth callback method
   def create
+    if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+      raise "Local login disabled when LoginCluster is set"
+    end
+
     omniauth = request.env['omniauth.auth']
 
     identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false
@@ -80,6 +84,16 @@ class UserSessionsController < ApplicationController
     # For the benefit of functional and integration tests:
     @user = user
 
+    if user.uuid[0..4] != Rails.configuration.ClusterID
+      # Actually a remote user
+      # Send them to their home cluster's login
+      rh = Rails.configuration.RemoteClusters[user.uuid[0..4]]
+      remote, return_to_url = params[:return_to].split(',', 2)
+      @remotehomeurl = "#{rh.Scheme || "https"}://#{rh.Host}/login?remote=#{Rails.configuration.ClusterID}&return_to=#{return_to_url}"
+      render
+      return
+    end
+
     # prevent ArvadosModel#before_create and _update from throwing
     # "unauthorized":
     Thread.current[:user] = user
@@ -141,13 +155,30 @@ class UserSessionsController < ApplicationController
     end
     p = []
     p << "auth_provider=#{CGI.escape(params[:auth_provider])}" if params[:auth_provider]
-    if params[:return_to]
-      # Encode remote param inside callback's return_to, so that we'll get it on
-      # create() after login.
-      remote_param = params[:remote].nil? ? '' : params[:remote]
-      p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+
+    if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+      host = ApiClientAuthorization.remote_host(uuid_prefix: Rails.configuration.Login.LoginCluster)
+      if not host
+        raise "LoginCluster #{Rails.configuration.Login.LoginCluster} missing from RemoteClusters"
+      end
+      scheme = "https"
+      cluster = Rails.configuration.RemoteClusters[Rails.configuration.Login.LoginCluster]
+      if cluster and cluster['Scheme'] and !cluster['Scheme'].empty?
+        scheme = cluster['Scheme']
+      end
+      login_cluster = "#{scheme}://#{host}"
+      p << "remote=#{CGI.escape(params[:remote])}" if params[:remote]
+      p << "return_to=#{CGI.escape(params[:return_to])}" if params[:return_to]
+      redirect_to "#{login_cluster}/login?#{p.join('&')}"
+    else
+      if params[:return_to]
+        # Encode remote param inside callback's return_to, so that we'll get it on
+        # create() after login.
+        remote_param = params[:remote].nil? ? '' : params[:remote]
+        p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+      end
+      redirect_to "/auth/joshid?#{p.join('&')}"
     end
-    redirect_to "/auth/joshid?#{p.join('&')}"
   end
 
   def send_api_token_to(callback_url, user, remote=nil)