X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/eadb94554a40517ebc367959e70bd41465a5ecdf..2c5417221843491727e4e5505012fc115e3bc7b0:/lib/controller/localdb/login.go?ds=sidebyside diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index 9a0ee746e6..1cd349a10e 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -6,9 +6,13 @@ package localdb import ( "context" + "database/sql" + "encoding/json" "errors" + "fmt" "net/http" "net/url" + "strings" "git.arvados.org/arvados.git/lib/controller/rpc" "git.arvados.org/arvados.git/sdk/go/arvados" @@ -37,14 +41,19 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log ClientID: cluster.Login.Google.ClientID, ClientSecret: cluster.Login.Google.ClientSecret, UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, + EmailClaim: "email", + EmailVerifiedClaim: "email_verified", } case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP: return &oidcLoginController{ - Cluster: cluster, - RailsProxy: railsProxy, - Issuer: cluster.Login.OpenIDConnect.Issuer, - ClientID: cluster.Login.OpenIDConnect.ClientID, - ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + Cluster: cluster, + RailsProxy: railsProxy, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, } case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP: return &ssoLoginController{railsProxy} @@ -91,9 +100,9 @@ func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.L return arvados.LogoutResponse{RedirectLocation: target}, nil } -func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (arvados.APIClientAuthorization, error) { +func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) - resp, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ + newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ // Send a fake ReturnTo value instead of the caller's // opts.ReturnTo. We won't follow the resulting // redirect target anyway. @@ -101,12 +110,36 @@ func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken AuthInfo: authinfo, }) if err != nil { - return arvados.APIClientAuthorization{}, err + return } - target, err := url.Parse(resp.RedirectLocation) + target, err := url.Parse(newsession.RedirectLocation) if err != nil { - return arvados.APIClientAuthorization{}, err + return } token := target.Query().Get("api_token") - return conn.APIClientAuthorizationCurrent(auth.NewContext(ctx, auth.NewCredentials(token)), arvados.GetOptions{}) + tx, err := currenttx(ctx) + if err != nil { + return + } + tokensecret := token + if strings.Contains(token, "/") { + tokenparts := strings.Split(token, "/") + if len(tokenparts) >= 3 { + tokensecret = tokenparts[2] + } + } + var exp sql.NullString + var scopes []byte + err = tx.QueryRowContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) + if err != nil { + return + } + resp.ExpiresAt = exp.String + if len(scopes) > 0 { + err = json.Unmarshal(scopes, &resp.Scopes) + if err != nil { + return resp, fmt.Errorf("unmarshal scopes: %s", err) + } + } + return }