# Default value zero means tokens don't have expiration.
TokenLifetime: 0s
+ # When the token is returned to a client, the token itself may
+ # be restricted from manipulating other tokens based on whether
+ # the client is "trusted" or not. The local Workbench1 are
+ # trusted by default, but if this is a LoginCluster, you
+ # probably want to include the Workbench instances in the
+ # federation in this list.
+ TrustedClients:
+ SAMPLE:
+ "https://workbench.federate1.example": {}
+ "https://workbench.federate2.example": {}
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
# Default value zero means tokens don't have expiration.
TokenLifetime: 0s
+ # When the token is returned to a client, the token itself may
+ # be restricted from manipulating other tokens based on whether
+ # the client is "trusted" or not. The local Workbench1 are
+ # trusted by default, but if this is a LoginCluster, you
+ # probably want to include the Workbench instances in the
+ # federation in this list.
+ TrustedClients:
+ SAMPLE:
+ "https://workbench.federate1.example": {}
+ "https://workbench.federate2.example": {}
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
LoginCluster string
RemoteTokenRefresh Duration
TokenLifetime Duration
+ TrustedClients map[string]struct{}
}
Mail struct {
MailchimpAPIKey string
def from_trusted_url
norm_url_prefix = norm(self.url_prefix)
- norm_url_prefix == norm(Rails.configuration.Services.Workbench1.ExternalURL) or
- norm_url_prefix == norm(Rails.configuration.Services.Workbench2.ExternalURL) or
- norm_url_prefix == norm("https://controller.api.client.invalid")
+
+ [Rails.configuration.Services.Workbench1.ExternalURL,
+ Rails.configuration.Services.Workbench2.ExternalURL,
+ "https://controller.api.client.invalid"].each do |url|
+ if norm_url_prefix == norm(url)
+ return true
+ end
+ end
+
+ Rails.configuration.Login.TrustedClients.keys.each do |url|
+ if norm_url_prefix == norm(url)
+ return true
+ end
+ end
+
+ false
end
def norm url
# normalize URL for comparison
- url = URI(url)
+ url = URI(url.to_s)
if url.scheme == "https"
url.port == "443"
end
arvcfg.declare_config "Login.SSO.ProviderAppSecret", String, :sso_app_secret
arvcfg.declare_config "Login.SSO.ProviderAppID", String, :sso_app_id
arvcfg.declare_config "Login.LoginCluster", String
+arvcfg.declare_config "Login.TrustedClients", Hash
arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
arvcfg.declare_config "Login.TokenLifetime", ActiveSupport::Duration
arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
Rails.configuration.Login.TokenLifetime = token_lifetime_enabled ? 8.hours : 0
Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com")
Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443")
+ Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new
+ Rails.configuration.Login.TrustedClients[:"https://wb3.example.com"] = ActiveSupport::OrderedOptions.new
act_as_system_user do
[["http://wb0.example.com", false],
["http://wb2.example.com", false],
["https://wb2.example.com", true],
["https://wb2.example.com/", true],
+ ["https://wb3.example.com/", true],
+ ["https://wb4.example.com/", false],
].each do |pfx, result|
a = ApiClient.create(url_prefix: pfx, is_trusted: false)
if token_lifetime_enabled