X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d9b8396a05f3f4d187fbcadad6f63c019865e6fc..2c5417221843491727e4e5505012fc115e3bc7b0:/lib/controller/localdb/login.go?ds=sidebyside

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 04fb82bd5b..1cd349a10e 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -6,9 +6,13 @@ package localdb
 
 import (
 	"context"
+	"database/sql"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"git.arvados.org/arvados.git/lib/controller/rpc"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
@@ -37,34 +41,19 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 			ClientID:           cluster.Login.Google.ClientID,
 			ClientSecret:       cluster.Login.Google.ClientSecret,
 			UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
+			EmailClaim:         "email",
+			EmailVerifiedClaim: "email_verified",
 		}
 	case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
-		issuer := cluster.Login.OpenIDConnect.Issuer
-		if issuer.Path == "/" {
-			// The OIDC library returns an error if the
-			// config says "https://example/" and the
-			// issuer identifies itself as
-			// "https://example", even though those URLs
-			// are equivalent
-			// (https://tools.ietf.org/html/rfc3986#section-6.2.3).
-			//
-			// Our config loader adds "/" to URLs with
-			// empty path, so we strip it off here and
-			// count on the issuer to do the same when
-			// identifying itself, as Google does.
-			//
-			// (Non-empty paths as in
-			// "https://example/foo/" are preserved by the
-			// config loader so the config just has to
-			// match the issuer's response.)
-			issuer.Path = ""
-		}
 		return &oidcLoginController{
-			Cluster:      cluster,
-			RailsProxy:   railsProxy,
-			Issuer:       issuer.String(),
-			ClientID:     cluster.Login.OpenIDConnect.ClientID,
-			ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
+			Cluster:            cluster,
+			RailsProxy:         railsProxy,
+			Issuer:             cluster.Login.OpenIDConnect.Issuer,
+			ClientID:           cluster.Login.OpenIDConnect.ClientID,
+			ClientSecret:       cluster.Login.OpenIDConnect.ClientSecret,
+			EmailClaim:         cluster.Login.OpenIDConnect.EmailClaim,
+			EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
+			UsernameClaim:      cluster.Login.OpenIDConnect.UsernameClaim,
 		}
 	case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP:
 		return &ssoLoginController{railsProxy}
@@ -111,9 +100,9 @@ func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.L
 	return arvados.LogoutResponse{RedirectLocation: target}, nil
 }
 
-func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (arvados.APIClientAuthorization, error) {
+func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
 	ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
-	resp, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
+	newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
 		// Send a fake ReturnTo value instead of the caller's
 		// opts.ReturnTo. We won't follow the resulting
 		// redirect target anyway.
@@ -121,12 +110,36 @@ func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken
 		AuthInfo: authinfo,
 	})
 	if err != nil {
-		return arvados.APIClientAuthorization{}, err
+		return
 	}
-	target, err := url.Parse(resp.RedirectLocation)
+	target, err := url.Parse(newsession.RedirectLocation)
 	if err != nil {
-		return arvados.APIClientAuthorization{}, err
+		return
 	}
 	token := target.Query().Get("api_token")
-	return conn.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{})
+	tx, err := currenttx(ctx)
+	if err != nil {
+		return
+	}
+	tokensecret := token
+	if strings.Contains(token, "/") {
+		tokenparts := strings.Split(token, "/")
+		if len(tokenparts) >= 3 {
+			tokensecret = tokenparts[2]
+		}
+	}
+	var exp sql.NullString
+	var scopes []byte
+	err = tx.QueryRowContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
+	if err != nil {
+		return
+	}
+	resp.ExpiresAt = exp.String
+	if len(scopes) > 0 {
+		err = json.Unmarshal(scopes, &resp.Scopes)
+		if err != nil {
+			return resp, fmt.Errorf("unmarshal scopes: %s", err)
+		}
+	}
+	return
 }