MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (e.g.,
- # sso-provider).
+ # These settings are provided by your OAuth2 provider (eg
+ # Google) used to perform upstream authentication.
ProviderAppSecret: ""
ProviderAppID: ""
+ # The cluster ID to delegate the user database. When set,
+ # logins on this cluster will be redirected to the login cluster
+ # (login cluster must appear in RemoteHosts with Proxy: true)
+ LoginCluster: ""
+
+ # How long a cached token belonging to a remote cluster will
+ # remain valid before it needs to be revalidated.
+ RemoteTokenRefresh: 5m
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
"InstanceTypes": true,
"InstanceTypes.*": true,
"InstanceTypes.*.*": true,
- "Login": false,
+ "Login": true,
+ "Login.ProviderAppSecret": false,
+ "Login.ProviderAppID": false,
+ "Login.LoginCluster": true,
+ "Login.RemoteTokenRefresh": true,
"Mail": false,
"ManagementToken": false,
"PostgreSQL": false,
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (e.g.,
- # sso-provider).
+ # These settings are provided by your OAuth2 provider (eg
+ # Google) used to perform upstream authentication.
ProviderAppSecret: ""
ProviderAppID: ""
+ # The cluster ID to delegate the user database. When set,
+ # logins on this cluster will be redirected to the login cluster
+ # (login cluster must appear in RemoteHosts with Proxy: true)
+ LoginCluster: ""
+
+ # How long a cached token belonging to a remote cluster will
+ # remain valid before it needs to be revalidated.
+ RemoteTokenRefresh: 5m
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
Repositories string
}
Login struct {
- ProviderAppSecret string
- ProviderAppID string
+ ProviderAppSecret string
+ ProviderAppID string
+ LoginCluster string
+ RemoteTokenRefresh Duration
}
Mail struct {
MailchimpAPIKey string
# omniauth callback method
def create
+ if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+ raise "Local login disabled when LoginCluster is set"
+ end
+
omniauth = request.env['omniauth.auth']
identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false
end
p = []
p << "auth_provider=#{CGI.escape(params[:auth_provider])}" if params[:auth_provider]
- if params[:return_to]
- # Encode remote param inside callback's return_to, so that we'll get it on
- # create() after login.
- remote_param = params[:remote].nil? ? '' : params[:remote]
- p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+
+ if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+ host = ApiClientAuthorization.remote_host(uuid_prefix: Rails.configuration.Login.LoginCluster)
+ if not host
+ raise "LoginCluster #{Rails.configuration.Login.LoginCluster} missing from RemoteClusters"
+ end
+ scheme = "https"
+ cluster = Rails.configuration.RemoteClusters[Rails.configuration.Login.LoginCluster]
+ if cluster and cluster['Scheme'] and !cluster['Scheme'].empty?
+ scheme = cluster['Scheme']
+ end
+ login_cluster = "#{scheme}://#{host}"
+ p << "remote=#{CGI.escape(params[:remote])}" if params[:remote]
+ p << "return_to=#{CGI.escape(params[:return_to])}" if params[:return_to]
+ redirect_to "#{login_cluster}/login?#{p.join('&')}"
+ else
+ if params[:return_to]
+ # Encode remote param inside callback's return_to, so that we'll get it on
+ # create() after login.
+ remote_param = params[:remote].nil? ? '' : params[:remote]
+ p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+ end
+ redirect_to "/auth/joshid?#{p.join('&')}"
end
- redirect_to "/auth/joshid?#{p.join('&')}"
end
def send_api_token_to(callback_url, user, remote=nil)
end
def self.remote_host(uuid_prefix:)
- (Rails.configuration.RemoteClusters[uuid_prefix].andand.Host) ||
- (Rails.configuration.RemoteClusters["*"].Proxy &&
+ (Rails.configuration.RemoteClusters[uuid_prefix].andand["Host"]) ||
+ (Rails.configuration.RemoteClusters["*"]["Proxy"] &&
uuid_prefix+".arvadosapi.com")
end
+ def self.make_http_client
+ clnt = HTTPClient.new
+ if Rails.configuration.TLS.Insecure
+ clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ else
+ # Use system CA certificates
+ ["/etc/ssl/certs/ca-certificates.crt",
+ "/etc/pki/tls/certs/ca-bundle.crt"]
+ .select { |ca_path| File.readable?(ca_path) }
+ .each { |ca_path| clnt.ssl_config.add_trust_ca(ca_path) }
+ end
+ clnt
+ end
+
def self.validate(token:, remote: nil)
return nil if !token
remote ||= Rails.configuration.ClusterID
case token[0..2]
when 'v2/'
- _, uuid, secret, optional = token.split('/')
- unless uuid.andand.length == 27 && secret.andand.length.andand > 0
+ _, token_uuid, secret, optional = token.split('/')
+ unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
return nil
end
# matches expections.
c = Container.where(uuid: optional).first
if !c.nil?
- if !c.auth_uuid.nil? and c.auth_uuid != uuid
+ if !c.auth_uuid.nil? and c.auth_uuid != token_uuid
# token doesn't match the container's token
return nil
end
- if !c.runtime_token.nil? and "v2/#{uuid}/#{secret}" != c.runtime_token
+ if !c.runtime_token.nil? and "v2/#{token_uuid}/#{secret}" != c.runtime_token
# token doesn't match the container's token
return nil
end
end
end
+ # fast path: look up the token in the local database
auth = ApiClientAuthorization.
includes(:user, :api_client).
- where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', uuid).
+ where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token_uuid).
first
if auth && auth.user &&
(secret == auth.api_token ||
secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
+ # found it
return auth
end
- uuid_prefix = uuid[0..4]
- if uuid_prefix == Rails.configuration.ClusterID
- # If the token were valid, we would have validated it above
+ token_uuid_prefix = token_uuid[0..4]
+ if token_uuid_prefix == Rails.configuration.ClusterID
+ # Token is supposedly issued by local cluster, but if the
+ # token were valid, we would have been found in the database
+ # in the above query.
return nil
- elsif uuid_prefix.length != 5
+ elsif token_uuid_prefix.length != 5
# malformed
return nil
end
- host = remote_host(uuid_prefix: uuid_prefix)
+ # Invariant: token_uuid_prefix != Rails.configuration.ClusterID
+ #
+ # In other words the remaing code in this method below is the
+ # case that determines whether to accept a token that was issued
+ # by a remote cluster when the token absent or expired in our
+ # database. To begin, we need to ask the cluster that issued
+ # the token to [re]validate it.
+ clnt = ApiClientAuthorization.make_http_client
+
+ host = remote_host(uuid_prefix: token_uuid_prefix)
if !host
- Rails.logger.warn "remote authentication rejected: no host for #{uuid_prefix.inspect}"
+ Rails.logger.warn "remote authentication rejected: no host for #{token_uuid_prefix.inspect}"
return nil
end
- # Token was issued by a different cluster. If it's expired or
- # missing in our database, ask the originating cluster to
- # [re]validate it.
begin
- clnt = HTTPClient.new
- if Rails.configuration.TLS.Insecure
- clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
- else
- # Use system CA certificates
- ["/etc/ssl/certs/ca-certificates.crt",
- "/etc/pki/tls/certs/ca-bundle.crt"]
- .select { |ca_path| File.readable?(ca_path) }
- .each { |ca_path| clnt.ssl_config.add_trust_ca(ca_path) }
- end
remote_user = SafeJSON.load(
clnt.get_content('https://' + host + '/arvados/v1/users/current',
{'remote' => Rails.configuration.ClusterID},
Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
return nil
end
- if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String) || remote_user['uuid'][0..4] != uuid[0..4]
+
+ # Check the response is well formed.
+ if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String)
Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
return nil
end
- act_as_system_user do
- # Add/update user and token in our database so we can
- # validate subsequent requests faster.
-
- user = User.find_or_create_by(uuid: remote_user['uuid']) do |user|
- # (this block runs for the "create" case, not for "find")
- user.is_admin = false
- user.email = remote_user['email']
- if remote_user['username'].andand.length.andand > 0
- user.set_initial_username(requested: remote_user['username'])
- end
- end
+ remote_user_prefix = remote_user['uuid'][0..4]
+
+ # Clusters can only authenticate for their own users.
+ if remote_user_prefix != token_uuid_prefix
+ Rails.logger.warn "remote authentication rejected: claimed remote user #{remote_user_prefix} but token was issued by #{token_uuid_prefix}"
+ return nil
+ end
+
+ # Invariant: remote_user_prefix == token_uuid_prefix
+ # therefore: remote_user_prefix != Rails.configuration.ClusterID
+
+ # Add or update user and token in local database so we can
+ # validate subsequent requests faster.
+
+ user = User.find_by_uuid(remote_user['uuid'])
+
+ if !user
+ # Create a new record for this user.
+ user = User.new(uuid: remote_user['uuid'],
+ is_active: false,
+ is_admin: false,
+ email: remote_user['email'],
+ owner_uuid: system_user_uuid)
+ user.set_initial_username(requested: remote_user['username'])
+ end
+
+ # Sync user record.
+ if remote_user_prefix == Rails.configuration.Login.LoginCluster
+ # Remote cluster controls our user database, copy both
+ # 'is_active' and 'is_admin'
+ user.is_active = remote_user['is_active']
+ user.is_admin = remote_user['is_admin']
+ else
if Rails.configuration.Users.NewUsersAreActive ||
- Rails.configuration.RemoteClusters[remote_user['uuid'][0..4]].andand["ActivateUsers"]
- # Update is_active to whatever it is at the remote end
+ Rails.configuration.RemoteClusters[remote_user_prefix].andand["ActivateUsers"]
+ # Default policy is to activate users, so match activate
+ # with the remote record.
user.is_active = remote_user['is_active']
elsif !remote_user['is_active']
- # Remote user is inactive; our mirror should be, too.
+ # Deactivate user if the remote is inactive, otherwise don't
+ # change 'is_active'.
user.is_active = false
end
+ end
- %w[first_name last_name email prefs].each do |attr|
- user.send(attr+'=', remote_user[attr])
- end
+ %w[first_name last_name email prefs].each do |attr|
+ user.send(attr+'=', remote_user[attr])
+ end
+ act_as_system_user do
user.save!
- auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
+ # We will accept this token (and avoid reloading the user
+ # record) for 'RemoteTokenRefresh' (default 5 minutes).
+ # Possible todo:
+ # Request the actual api_client_auth record from the remote
+ # server in case it wants the token to expire sooner.
+ auth = ApiClientAuthorization.find_or_create_by(uuid: token_uuid) do |auth|
auth.user = user
- auth.api_token = secret
auth.api_client_id = 0
end
-
- # Accept this token (and don't reload the user record) for
- # 5 minutes. TODO: Request the actual api_client_auth
- # record from the remote server in case it wants the token
- # to expire sooner.
auth.update_attributes!(user: user,
api_token: secret,
api_client_id: 0,
- expires_at: Time.now + 5.minutes)
+ expires_at: Time.now + Rails.configuration.Login.RemoteTokenRefresh)
end
return auth
else
+ # token is not a 'v2' token
auth = ApiClientAuthorization.
- includes(:user, :api_client).
- where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token).
- first
+ includes(:user, :api_client).
+ where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token).
+ first
if auth && auth.user
return auth
end
end
+
return nil
end
arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
arvcfg.declare_config "Login.ProviderAppSecret", NonemptyString, :sso_app_secret
arvcfg.declare_config "Login.ProviderAppID", NonemptyString, :sso_app_id
+arvcfg.declare_config "Login.LoginCluster", String
+arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
arvcfg.declare_config "Services.SSO.ExternalURL", NonemptyString, :sso_provider_url
arvcfg.declare_config "AuditLogs.MaxAge", ActiveSupport::Duration, :max_audit_log_age
class UserSessionsControllerTest < ActionController::TestCase
- test "new user from new api client" do
+ test "redirect to joshid" do
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("http://test.host/auth/joshid?return_to=%2Chttp%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
+
+ test "send token when user is already logged in" do
authorize_with :inactive
api_client_page = 'http://client.example.com/home'
get :login, params: {return_to: api_client_page}
get :login, params: {return_to: api_client_page, remote: remote_prefix}
assert_response 400
end
+
+ test "login to LoginCluster" do
+ Rails.configuration.Login.LoginCluster = 'zbbbb'
+ Rails.configuration.RemoteClusters['zbbbb'] = {'Host' => 'zbbbb.example.com'}
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("https://zbbbb.example.com/login?return_to=http%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
+ test "don't go into redirect loop if LoginCluster is self" do
+ Rails.configuration.Login.LoginCluster = 'zzzzz'
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("http://test.host/auth/joshid?return_to=%2Chttp%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
end
@controller = Arvados::V1::UsersController.new
ready = Thread::Queue.new
- srv = WEBrick::HTTPServer.new(
- Port: 0,
- Logger: WEBrick::Log.new(
- Rails.root.join("log", "webrick.log").to_s,
- WEBrick::Log::INFO),
- AccessLog: [[File.open(Rails.root.join(
- "log", "webrick_access.log").to_s, 'a+'),
- WEBrick::AccessLog::COMBINED_LOG_FORMAT]],
- SSLEnable: true,
- SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
- SSLPrivateKey: OpenSSL::PKey::RSA.new(
- File.open(Rails.root.join("tmp", "self-signed.key")).read),
- SSLCertificate: OpenSSL::X509::Certificate.new(
- File.open(Rails.root.join("tmp", "self-signed.pem")).read),
- SSLCertName: [["CN", WEBrick::Utils::getservername]],
- StartCallback: lambda { ready.push(true) })
- srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res|
- Rails.cache.delete 'arvados_v1_rest_discovery'
- res.body = Arvados::V1::SchemaController.new.send(:discovery_doc).to_json
- end
- srv.mount_proc '/arvados/v1/users/current' do |req, res|
- res.status = @stub_status
- res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
- end
- Thread.new do
- srv.start
+
+ @remote_server = []
+ @remote_host = []
+
+ ['zbbbb', 'zbork'].each do |clusterid|
+ srv = WEBrick::HTTPServer.new(
+ Port: 0,
+ Logger: WEBrick::Log.new(
+ Rails.root.join("log", "webrick.log").to_s,
+ WEBrick::Log::INFO),
+ AccessLog: [[File.open(Rails.root.join(
+ "log", "webrick_access.log").to_s, 'a+'),
+ WEBrick::AccessLog::COMBINED_LOG_FORMAT]],
+ SSLEnable: true,
+ SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
+ SSLPrivateKey: OpenSSL::PKey::RSA.new(
+ File.open(Rails.root.join("tmp", "self-signed.key")).read),
+ SSLCertificate: OpenSSL::X509::Certificate.new(
+ File.open(Rails.root.join("tmp", "self-signed.pem")).read),
+ SSLCertName: [["CN", WEBrick::Utils::getservername]],
+ StartCallback: lambda { ready.push(true) })
+ srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res|
+ Rails.cache.delete 'arvados_v1_rest_discovery'
+ res.body = Arvados::V1::SchemaController.new.send(:discovery_doc).to_json
+ end
+ srv.mount_proc '/arvados/v1/users/current' do |req, res|
+ if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork'
+ # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork
+ res.status = 401
+ return
+ end
+ res.status = @stub_status
+ res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
+ end
+ srv.mount_proc '/arvados/v1/users/register' do |req, res|
+ res.status = @stub_status
+ res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
+ end
+ Thread.new do
+ srv.start
+ end
+ ready.pop
+ @remote_server << srv
+ @remote_host << "127.0.0.1:#{srv.config[:Port]}"
end
- ready.pop
- @remote_server = srv
- @remote_host = "127.0.0.1:#{srv.config[:Port]}"
- Rails.configuration.RemoteClusters = Rails.configuration.RemoteClusters.merge({zbbbb: ActiveSupport::InheritableOptions.new({Host: @remote_host}),
- zbork: ActiveSupport::InheritableOptions.new({Host: @remote_host})})
- Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host}"
+ Rails.configuration.RemoteClusters = Rails.configuration.RemoteClusters.merge({zbbbb: ActiveSupport::InheritableOptions.new({Host: @remote_host[0]}),
+ zbork: ActiveSupport::InheritableOptions.new({Host: @remote_host[1]})})
+ Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host[0]}"
@stub_status = 200
@stub_content = {
uuid: 'zbbbb-tpzed-000000000000000',
end
teardown do
- @remote_server.andand.stop
+ @remote_server.each do |srv|
+ srv.stop
+ end
end
test 'authenticate with remote token' do
assert_equal 'foo', json_response['username']
end
- test 'authenticate with remote token from misbhehaving remote cluster' do
+ test 'authenticate with remote token from misbehaving remote cluster' do
get '/arvados/v1/users/current',
params: {format: 'json'},
headers: auth(remote: 'zbork')
assert_equal 'barney', json_response['username']
end
+ test 'get user from Login cluster' do
+ Rails.configuration.Login.LoginCluster = 'zbbbb'
+ get '/arvados/v1/users/current',
+ params: {format: 'json'},
+ headers: auth(remote: 'zbbbb')
+ assert_response :success
+ assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
+ assert_equal true, json_response['is_admin']
+ assert_equal true, json_response['is_active']
+ assert_equal 'foo@example.com', json_response['email']
+ assert_equal 'barney', json_response['username']
+ end
+
test 'pre-activate remote user' do
post '/arvados/v1/users',
params: {