From: Tom Clegg <tom@tomclegg.ca>
Date: Tue, 25 Aug 2020 20:41:21 +0000 (-0400)
Subject: 16314: Merge branch 'master'
X-Git-Tag: 2.1.0~107^2~1
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/505c8fa50631201e289cc55230d46fdf52fa2055?hp=a7631a1ccb6e2a6925d00a06562e171c4ce4ea2f

16314: Merge branch 'master'

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---

diff --git a/build/run-tests.sh b/build/run-tests.sh
index 6c697a657b..4d76589336 100755
--- a/build/run-tests.sh
+++ b/build/run-tests.sh
@@ -162,9 +162,12 @@ temp_preserve=
 
 clear_temp() {
     if [[ -z "$temp" ]]; then
-        # we didn't even get as far as making a temp dir
+        # we did not even get as far as making a temp dir
         :
     elif [[ -z "$temp_preserve" ]]; then
+        # Go creates readonly dirs in the module cache, which cause
+        # "rm -rf" to fail unless we chmod first.
+        chmod -R u+w "$temp"
         rm -rf "$temp"
     else
         echo "Leaving behind temp dirs in $temp"
@@ -541,12 +544,12 @@ setup_ruby_environment() {
 
         tmpdir_gem_home="$(env - PATH="$PATH" HOME="$GEMHOME" gem env gempath | cut -f1 -d:)"
         PATH="$tmpdir_gem_home/bin:$PATH"
-        export GEM_PATH="$tmpdir_gem_home"
+        export GEM_PATH="$tmpdir_gem_home:$(gem env gempath)"
 
         echo "Will install dependencies to $(gem env gemdir)"
-        echo "Will install arvados gems to $tmpdir_gem_home"
+        echo "Will install bundler and arvados gems to $tmpdir_gem_home"
         echo "Gem search path is GEM_PATH=$GEM_PATH"
-        bundle="$(gem env gempath | cut -f1 -d:)/bin/bundle"
+        bundle="$tmpdir_gem_home/bin/bundle"
         (
             export HOME=$GEMHOME
             bundlers="$(gem list --details bundler)"
diff --git a/lib/controller/localdb/login_testuser.go b/lib/controller/localdb/login_testuser.go
index 5a3d803b89..823043702a 100644
--- a/lib/controller/localdb/login_testuser.go
+++ b/lib/controller/localdb/login_testuser.go
@@ -5,9 +5,10 @@
 package localdb
 
 import (
+	"bytes"
 	"context"
-	"errors"
 	"fmt"
+	"html/template"
 
 	"git.arvados.org/arvados.git/lib/controller/rpc"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
@@ -25,7 +26,16 @@ func (ctrl *testLoginController) Logout(ctx context.Context, opts arvados.Logout
 }
 
 func (ctrl *testLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
-	return arvados.LoginResponse{}, errors.New("interactive login is not available")
+	tmpl, err := template.New("form").Parse(loginform)
+	if err != nil {
+		return arvados.LoginResponse{}, err
+	}
+	var buf bytes.Buffer
+	err = tmpl.Execute(&buf, opts)
+	if err != nil {
+		return arvados.LoginResponse{}, err
+	}
+	return arvados.LoginResponse{HTML: buf}, nil
 }
 
 func (ctrl *testLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
@@ -43,3 +53,52 @@ func (ctrl *testLoginController) UserAuthenticate(ctx context.Context, opts arva
 	}
 	return arvados.APIClientAuthorization{}, fmt.Errorf("authentication failed for user %q with password len=%d", opts.Username, len(opts.Password))
 }
+
+const loginform = `
+<!doctype html>
+<html>
+  <head><title>Arvados test login</title>
+    <script>
+      async function authenticate(event) {
+        event.preventDefault()
+	document.getElementById('error').innerHTML = ''
+	const resp = await fetch('/arvados/v1/users/authenticate', {
+	  method: 'POST',
+	  mode: 'same-origin',
+	  headers: {'Content-Type': 'application/json'},
+	  body: JSON.stringify({
+	    username: document.getElementById('username').value,
+	    password: document.getElementById('password').value,
+	  }),
+	})
+	if (!resp.ok) {
+	  document.getElementById('error').innerHTML = 'authentication failed (default accounts are user/user, admin/admin)'
+	  return
+	}
+	var redir = document.getElementById('return_to').value
+	if (redir.indexOf('?') > 0) {
+	  redir += '&'
+	} else {
+	  redir += '?'
+	}
+        const respj = await resp.json()
+	document.location = redir + "api_token=" + respj.api_token
+      }
+    </script>
+  </head>
+  <body>
+    <h3>Arvados test login</h3>
+    <form method="POST">
+      <input id="return_to" type="hidden" name="return_to" value="{{.ReturnTo}}">
+      username <input id="username" type="text" name="username" size=16>
+      password <input id="password" type="password" name="password" size=16>
+      <input type="submit" value="Log in">
+      <br>
+      <p id="error"></p>
+    </form>
+  </body>
+  <script>
+    document.getElementsByTagName('form')[0].onsubmit = authenticate
+  </script>
+</html>
+`
diff --git a/lib/controller/localdb/login_testuser_test.go b/lib/controller/localdb/login_testuser_test.go
index d2d651e205..7589088899 100644
--- a/lib/controller/localdb/login_testuser_test.go
+++ b/lib/controller/localdb/login_testuser_test.go
@@ -92,3 +92,12 @@ func (s *TestUserSuite) TestLogin(c *check.C) {
 		}
 	}
 }
+
+func (s *TestUserSuite) TestLoginForm(c *check.C) {
+	resp, err := s.ctrl.Login(s.ctx, arvados.LoginOptions{
+		ReturnTo: "https://localhost:12345/example",
+	})
+	c.Check(err, check.IsNil)
+	c.Check(resp.HTML.String(), check.Matches, `(?ms).*<form method="POST".*`)
+	c.Check(resp.HTML.String(), check.Matches, `(?ms).*<input id="return_to" type="hidden" name="return_to" value="https://localhost:12345/example">.*`)
+}
diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox
index 5abaa90e36..8f13215bcf 100755
--- a/tools/arvbox/bin/arvbox
+++ b/tools/arvbox/bin/arvbox
@@ -44,10 +44,6 @@ if test -z "$ARVADOS_ROOT" ; then
     ARVADOS_ROOT="$ARVBOX_DATA/arvados"
 fi
 
-if test -z "$SSO_ROOT" ; then
-    SSO_ROOT="$ARVBOX_DATA/sso-devise-omniauth-provider"
-fi
-
 if test -z "$COMPOSER_ROOT" ; then
     COMPOSER_ROOT="$ARVBOX_DATA/composer"
 fi
@@ -126,7 +122,6 @@ wait_for_arvbox() {
 docker_run_dev() {
     docker run \
 	   "--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
-           "--volume=$SSO_ROOT:/usr/src/sso:rw" \
            "--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
            "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
            "--volume=$PG_DATA:/var/lib/postgresql:rw" \
@@ -239,9 +234,6 @@ run() {
         if ! test -d "$ARVADOS_ROOT" ; then
             git clone https://git.arvados.org/arvados.git "$ARVADOS_ROOT"
         fi
-        if ! test -d "$SSO_ROOT" ; then
-            git clone https://github.com/arvados/sso-devise-omniauth-provider.git "$SSO_ROOT"
-        fi
         if ! test -d "$COMPOSER_ROOT" ; then
             git clone https://github.com/arvados/composer.git "$COMPOSER_ROOT"
             git -C "$COMPOSER_ROOT" checkout arvados-fork
@@ -268,11 +260,6 @@ run() {
                        /usr/local/lib/arvbox/runsu.sh \
                        /usr/local/lib/arvbox/waitforpostgres.sh
 
-                docker exec -ti \
-                       $ARVBOX_CONTAINER \
-                       /usr/local/lib/arvbox/runsu.sh \
-                       /var/lib/arvbox/service/sso/run-service --only-setup
-
                 docker exec -ti \
                        $ARVBOX_CONTAINER \
                        /usr/local/lib/arvbox/runsu.sh \
@@ -511,6 +498,7 @@ case "$subcmd" in
                     exit 1
                 fi
                 set -x
+                chmod -R u+w "$ARVBOX_DATA"
                 rm -rf "$ARVBOX_DATA"
             else
                 if test "$1" != -f ; then
@@ -573,7 +561,6 @@ case "$subcmd" in
 	       "$ARVBOX_BASE/$1/gopath" \
 	       "$ARVBOX_BASE/$1/Rlibs" \
 	       "$ARVBOX_BASE/$1/arvados" \
-	       "$ARVBOX_BASE/$1/sso-devise-omniauth-provider" \
 	       "$ARVBOX_BASE/$1/composer" \
 	       "$ARVBOX_BASE/$1/workbench2" \
 	       "$ARVBOX_BASE/$2"
diff --git a/tools/arvbox/lib/arvbox/docker/Dockerfile.demo b/tools/arvbox/lib/arvbox/docker/Dockerfile.demo
index 34d3845eaf..6bc43e2b7a 100644
--- a/tools/arvbox/lib/arvbox/docker/Dockerfile.demo
+++ b/tools/arvbox/lib/arvbox/docker/Dockerfile.demo
@@ -4,7 +4,6 @@
 
 FROM arvados/arvbox-base
 ARG arvados_version
-ARG sso_version=master
 ARG composer_version=arvados-fork
 ARG workbench2_version=master
 
@@ -12,9 +11,6 @@ RUN cd /usr/src && \
     git clone --no-checkout https://github.com/arvados/arvados.git && \
     git -C arvados checkout ${arvados_version} && \
     git -C arvados pull && \
-    git clone --no-checkout https://github.com/arvados/sso-devise-omniauth-provider.git sso && \
-    git -C sso checkout ${sso_version} && \
-    git -C sso pull && \
     git clone --no-checkout https://github.com/arvados/composer.git && \
     git -C composer checkout ${composer_version} && \
     git -C composer pull && \
@@ -27,7 +23,6 @@ ADD service/ /var/lib/arvbox/service
 RUN ln -sf /var/lib/arvbox/service /etc
 RUN mkdir -p /var/lib/arvados
 RUN echo "production" > /var/lib/arvados/api_rails_env
-RUN echo "production" > /var/lib/arvados/sso_rails_env
 RUN echo "production" > /var/lib/arvados/workbench_rails_env
 
 RUN /usr/local/lib/arvbox/createusers.sh
@@ -36,7 +31,6 @@ RUN sudo -u arvbox /var/lib/arvbox/service/api/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/composer/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/workbench2/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/keep-web/run-service --only-deps
-RUN sudo -u arvbox /var/lib/arvbox/service/sso/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/workbench/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/doc/run-service --only-deps
 RUN sudo -u arvbox /var/lib/arvbox/service/vm/run-service --only-deps
diff --git a/tools/arvbox/lib/arvbox/docker/Dockerfile.dev b/tools/arvbox/lib/arvbox/docker/Dockerfile.dev
index 22668253e1..c7621e387d 100644
--- a/tools/arvbox/lib/arvbox/docker/Dockerfile.dev
+++ b/tools/arvbox/lib/arvbox/docker/Dockerfile.dev
@@ -9,7 +9,6 @@ ADD service/ /var/lib/arvbox/service
 RUN ln -sf /var/lib/arvbox/service /etc
 RUN mkdir -p /var/lib/arvados
 RUN echo "development" > /var/lib/arvados/api_rails_env
-RUN echo "development" > /var/lib/arvados/sso_rails_env
 RUN echo "development" > /var/lib/arvados/workbench_rails_env
 
 RUN mkdir /etc/test-service && \
diff --git a/tools/arvbox/lib/arvbox/docker/api-setup.sh b/tools/arvbox/lib/arvbox/docker/api-setup.sh
index 4ed25e03c0..6a261bf4c5 100755
--- a/tools/arvbox/lib/arvbox/docker/api-setup.sh
+++ b/tools/arvbox/lib/arvbox/docker/api-setup.sh
@@ -28,7 +28,6 @@ else
     secret_token=$(cat /var/lib/arvados/api_secret_token)
     blob_signing_key=$(cat /var/lib/arvados/blob_signing_key)
     management_token=$(cat /var/lib/arvados/management_token)
-    sso_app_secret=$(cat /var/lib/arvados/sso_app_secret)
     database_pw=$(cat /var/lib/arvados/api_database_pw)
     vm_uuid=$(cat /var/lib/arvados/vm-uuid)
 
@@ -37,10 +36,6 @@ $RAILS_ENV:
   uuid_prefix: $uuid_prefix
   secret_token: $secret_token
   blob_signing_key: $blob_signing_key
-  sso_app_secret: $sso_app_secret
-  sso_app_id: arvados-server
-  sso_provider_url: "https://$localip:${services[sso]}"
-  sso_insecure: false
   workbench_address: "https://$localip/"
   websocket_address: "wss://$localip:${services[websockets-ssl]}/websocket"
   git_repo_ssh_base: "git@$localip:"
diff --git a/tools/arvbox/lib/arvbox/docker/cluster-config.sh b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
index 4798cb6ccd..1413984655 100755
--- a/tools/arvbox/lib/arvbox/docker/cluster-config.sh
+++ b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
@@ -39,11 +39,6 @@ if ! test -s /var/lib/arvados/system_root_token ; then
 fi
 system_root_token=$(cat /var/lib/arvados/system_root_token)
 
-if ! test -s /var/lib/arvados/sso_app_secret ; then
-    ruby -e 'puts rand(2**400).to_s(36)' > /var/lib/arvados/sso_app_secret
-fi
-sso_app_secret=$(cat /var/lib/arvados/sso_app_secret)
-
 if ! test -s /var/lib/arvados/vm-uuid ; then
     echo $uuid_prefix-2x53u-$(ruby -e 'puts rand(2**400).to_s(36)[0,15]') > /var/lib/arvados/vm-uuid
 fi
@@ -83,8 +78,6 @@ Clusters:
         ExternalURL: "https://$localip:${services[workbench]}"
       Workbench2:
         ExternalURL: "https://$localip:${services[workbench2-ssl]}"
-      SSO:
-        ExternalURL: "https://$localip:${services[sso]}"
       Keepproxy:
         ExternalURL: "https://$localip:${services[keepproxy-ssl]}"
         InternalURLs:
@@ -139,13 +132,18 @@ Clusters:
       DefaultReplication: 1
       TrustAllContent: true
     Login:
-      SSO:
+      Test:
         Enable: true
-        ProviderAppSecret: $sso_app_secret
-        ProviderAppID: arvados-server
+        Users:
+          admin:
+            Email: admin@example.com
+            Password: admin
+          user:
+            Email: user@example.com
+            Password: user
     Users:
       NewUsersAreActive: true
-      AutoAdminFirstUser: true
+      AutoAdminUserWithEmail: admin@example.com
       AutoSetupNewUsers: true
       AutoSetupNewUsersWithVmUUID: $vm_uuid
       AutoSetupNewUsersWithRepository: true
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index 89864d5d18..05491c5361 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -33,7 +33,6 @@ services=(
   [api]=8004
   [controller]=8003
   [controller-ssl]=8000
-  [sso]=8900
   [composer]=4200
   [arv-git-httpd-ssl]=9000
   [arv-git-httpd]=9001
diff --git a/tools/arvbox/lib/arvbox/docker/service/ready/run-service b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
index 470d105375..21cb7d48c6 100755
--- a/tools/arvbox/lib/arvbox/docker/service/ready/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
@@ -67,8 +67,7 @@ if ! [[ -z "$waiting" ]] ; then
 
         gemlockcount=0
         for l in /usr/src/arvados/services/api/Gemfile.lock \
-                     /usr/src/arvados/apps/workbench/Gemfile.lock \
-                     /usr/src/sso/Gemfile.lock ; do
+                     /usr/src/arvados/apps/workbench/Gemfile.lock ; do
             gc=$(cat $l \
                         | grep -vE "(GEM|PLATFORMS|DEPENDENCIES|BUNDLED|GIT|$^|remote:|specs:|revision:)" \
                         | sed 's/^ *//' | sed 's/(.*)//' | sed 's/ *$//' | sort | uniq | wc -l)
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/log/main/.gitstub b/tools/arvbox/lib/arvbox/docker/service/sso/log/main/.gitstub
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/log/run b/tools/arvbox/lib/arvbox/docker/service/sso/log/run
deleted file mode 120000
index d6aef4a77d..0000000000
--- a/tools/arvbox/lib/arvbox/docker/service/sso/log/run
+++ /dev/null
@@ -1 +0,0 @@
-/usr/local/lib/arvbox/logger
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run b/tools/arvbox/lib/arvbox/docker/service/sso/run
deleted file mode 120000
index a388c8b67b..0000000000
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run
+++ /dev/null
@@ -1 +0,0 @@
-/usr/local/lib/arvbox/runsu.sh
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
deleted file mode 100755
index e30e34f7c1..0000000000
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/bash
-# Copyright (C) The Arvados Authors. All rights reserved.
-#
-# SPDX-License-Identifier: AGPL-3.0
-
-exec 2>&1
-set -ex -o pipefail
-
-. /usr/local/lib/arvbox/common.sh
-
-cd /usr/src/sso
-if test -s /var/lib/arvados/sso_rails_env ; then
-  export RAILS_ENV=$(cat /var/lib/arvados/sso_rails_env)
-else
-  export RAILS_ENV=development
-fi
-
-run_bundler --without=development
-bundle exec passenger-config build-native-support
-bundle exec passenger-config install-standalone-runtime
-
-if test "$1" = "--only-deps" ; then
-    exit
-fi
-
-set -u
-
-uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)
-
-if ! test -s /var/lib/arvados/sso_secret_token ; then
-  ruby -e 'puts rand(2**400).to_s(36)' > /var/lib/arvados/sso_secret_token
-fi
-secret_token=$(cat /var/lib/arvados/sso_secret_token)
-
-openssl verify -CAfile $root_cert $server_cert
-
-cat >config/application.yml <<EOF
-$RAILS_ENV:
-  uuid_prefix: $uuid_prefix
-  secret_token: $secret_token
-  default_link_url: "http://$localip"
-  allow_account_registration: true
-EOF
-
-(cd config && /usr/local/lib/arvbox/yml_override.py application.yml)
-
-if ! test -f /var/lib/arvados/sso_database_pw ; then
-    ruby -e 'puts rand(2**128).to_s(36)' > /var/lib/arvados/sso_database_pw
-fi
-database_pw=$(cat /var/lib/arvados/sso_database_pw)
-
-if ! (psql postgres -c "\du" | grep "^ arvados_sso ") >/dev/null ; then
-    psql postgres -c "create user arvados_sso with password '$database_pw'"
-    psql postgres -c "ALTER USER arvados_sso CREATEDB;"
-fi
-
-sed "s/password:.*/password: $database_pw/" <config/database.yml.example >config/database.yml
-
-if ! test -f /var/lib/arvados/sso_database_setup ; then
-   bundle exec rake db:setup
-
-   app_secret=$(cat /var/lib/arvados/sso_app_secret)
-
-   bundle exec rails console <<EOF
-c = Client.new
-c.name = "joshid"
-c.app_id = "arvados-server"
-c.app_secret = "$app_secret"
-c.save!
-EOF
-
-   touch /var/lib/arvados/sso_database_setup
-fi
-
-rm -rf tmp
-mkdir -p tmp/cache
-
-bundle exec rake assets:precompile
-bundle exec rake db:migrate
-
-set +u
-if test "$1" = "--only-setup" ; then
-    exit
-fi
-
-exec bundle exec passenger start --port=${services[sso]} \
-     --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
-     --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key