X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d739042d5aedd9a2cef19deb591cccc57d639353..fbd40a96ea616d8042db23371083ebf80684825f:/lib/controller/localdb/login.go diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index af9a034827..1267414842 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -6,34 +6,94 @@ package localdb import ( "context" + "database/sql" + "encoding/json" "errors" + "fmt" + "net/http" + "net/url" + "strings" + "git.arvados.org/arvados.git/lib/controller/rpc" + "git.arvados.org/arvados.git/lib/ctrlctx" "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/auth" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) type loginController interface { Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) + UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) } func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController { - wantGoogle := cluster.Login.GoogleClientID != "" - wantSSO := cluster.Login.ProviderAppID != "" - wantPAM := cluster.Login.PAM + wantGoogle := cluster.Login.Google.Enable + wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable + wantSSO := cluster.Login.SSO.Enable + wantPAM := cluster.Login.PAM.Enable + wantLDAP := cluster.Login.LDAP.Enable + wantTest := cluster.Login.Test.Enable switch { - case wantGoogle && !wantSSO && !wantPAM: - return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy} - case !wantGoogle && wantSSO && !wantPAM: - return railsProxy - case !wantGoogle && !wantSSO && wantPAM: + case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest): + return errorLoginController{ + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"), + } + case wantGoogle: + return &oidcLoginController{ + Cluster: cluster, + RailsProxy: railsProxy, + Issuer: "https://accounts.google.com", + ClientID: cluster.Login.Google.ClientID, + ClientSecret: cluster.Login.Google.ClientSecret, + UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, + EmailClaim: "email", + EmailVerifiedClaim: "email_verified", + } + case wantOpenIDConnect: + return &oidcLoginController{ + Cluster: cluster, + RailsProxy: railsProxy, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + } + case wantSSO: + return &ssoLoginController{railsProxy} + case wantPAM: return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy} + case wantLDAP: + return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy} + case wantTest: + return &testLoginController{Cluster: cluster, RailsProxy: railsProxy} default: return errorLoginController{ - error: errors.New("configuration problem: exactly one of Login.GoogleClientID, Login.ProviderAppID, or Login.PAM must be configured"), + error: errors.New("BUG: missing case in login controller setup switch"), } } } +func countTrue(vals ...bool) int { + n := 0 + for _, val := range vals { + if val { + n++ + } + } + return n +} + +// Login and Logout are passed through to the wrapped railsProxy; +// UserAuthenticate is rejected. +type ssoLoginController struct{ *railsProxy } + +func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) +} + type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { @@ -42,6 +102,9 @@ func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (a func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) { return arvados.LogoutResponse{}, ctrl.error } +func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, ctrl.error +} func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { target := opts.ReturnTo @@ -54,3 +117,47 @@ func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.L } return arvados.LogoutResponse{RedirectLocation: target}, nil } + +func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { + ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) + newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ + // Send a fake ReturnTo value instead of the caller's + // opts.ReturnTo. We won't follow the resulting + // redirect target anyway. + ReturnTo: ",https://none.invalid", + AuthInfo: authinfo, + }) + if err != nil { + return + } + target, err := url.Parse(newsession.RedirectLocation) + if err != nil { + return + } + token := target.Query().Get("api_token") + tx, err := ctrlctx.CurrentTx(ctx) + if err != nil { + return + } + tokensecret := token + if strings.Contains(token, "/") { + tokenparts := strings.Split(token, "/") + if len(tokenparts) >= 3 { + tokensecret = tokenparts[2] + } + } + var exp sql.NullString + var scopes []byte + err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) + if err != nil { + return + } + resp.ExpiresAt = exp.String + if len(scopes) > 0 { + err = json.Unmarshal(scopes, &resp.Scopes) + if err != nil { + return resp, fmt.Errorf("unmarshal scopes: %s", err) + } + } + return +}