From: Peter Amstutz <peter.amstutz@curii.com>
Date: Tue, 22 Jun 2021 02:19:17 +0000 (-0400)
Subject: 17829: Remove omniauth
X-Git-Tag: 2.3.0~169^2~7
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/cbc613e6f91b7fe5685f8551832972968fe677e0

17829: Remove omniauth

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---

diff --git a/services/api/Gemfile b/services/api/Gemfile
index 7fc7f8757c..39ce5def17 100644
--- a/services/api/Gemfile
+++ b/services/api/Gemfile
@@ -44,10 +44,6 @@ gem 'passenger'
 # Locking to 5.10.3 to workaround issue in 5.11.1 (https://github.com/seattlerb/minitest/issues/730)
 gem 'minitest', '5.10.3'
 
-# Restricted because omniauth >= 1.5.0 requires Ruby >= 2.1.9:
-gem 'omniauth', '~> 1.4.0'
-gem 'omniauth-oauth2', '~> 1.1'
-
 gem 'andand'
 
 gem 'optimist'
diff --git a/services/api/Gemfile.lock b/services/api/Gemfile.lock
index 7a3180d247..ddecd4a18a 100644
--- a/services/api/Gemfile.lock
+++ b/services/api/Gemfile.lock
@@ -110,7 +110,6 @@ GEM
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (~> 0.7)
-    hashie (3.6.0)
     highline (2.0.1)
     httpclient (2.8.3)
     i18n (0.9.5)
@@ -148,7 +147,6 @@ GEM
     mocha (1.8.0)
       metaclass (~> 0.0.1)
     multi_json (1.15.0)
-    multi_xml (0.6.0)
     multipart-post (2.1.1)
     net-scp (2.0.0)
       net-ssh (>= 2.6.5, < 6.0.0)
@@ -161,19 +159,7 @@ GEM
     nokogiri (1.11.7)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    oauth2 (1.4.1)
-      faraday (>= 0.8, < 0.16.0)
-      jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
     oj (3.9.2)
-    omniauth (1.4.3)
-      hashie (>= 1.2, < 4)
-      rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.5.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.2)
     optimist (3.0.0)
     os (1.1.1)
     passenger (6.0.2)
@@ -297,8 +283,6 @@ DEPENDENCIES
   mocha
   multi_json
   oj
-  omniauth (~> 1.4.0)
-  omniauth-oauth2 (~> 1.1)
   optimist
   passenger
   pg (~> 1.0)
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index e1ae76ed29..fc33dde447 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -397,7 +397,7 @@ class ApplicationController < ActionController::Base
     if not current_user
       respond_to do |format|
         format.json { send_error("Not logged in", status: 401) }
-        format.html { redirect_to '/auth/joshid' }
+        format.html { redirect_to '/login' }
       end
       false
     end
diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 8e9a26b7a8..84dfcdbc9b 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -11,7 +11,7 @@ class UserSessionsController < ApplicationController
 
   respond_to :html
 
-  # omniauth callback method
+  # create a new session
   def create
     if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
       raise "Local login disabled when LoginCluster is set"
@@ -27,9 +27,7 @@ class UserSessionsController < ApplicationController
       authinfo = SafeJSON.load(params[:auth_info])
       max_expires_at = authinfo["expires_at"]
     else
-      # omniauth middleware verified the user and is passing auth_info
-      # in request.env.
-      authinfo = request.env['omniauth.auth']['info'].with_indifferent_access
+      # Legacy code path, fail?
     end
 
     if !authinfo['user_uuid'].blank?
@@ -102,9 +100,7 @@ class UserSessionsController < ApplicationController
     redirect_to "#{Rails.configuration.Services.SSO.ExternalURL}users/sign_out?redirect_uri=#{CGI.escape return_to}"
   end
 
-  # login - Just bounce to /auth/joshid. The only purpose of this function is
-  # to save the return_to parameter (if it exists; see the application
-  # controller). /auth/joshid bypasses the application controller.
+  # login.  Redirect to LoginCluster.
   def login
     if params[:remote] !~ /^[0-9a-z]{5}$/ && !params[:remote].nil?
       return send_error 'Invalid remote cluster id', status: 400
@@ -136,13 +132,7 @@ class UserSessionsController < ApplicationController
       p << "return_to=#{CGI.escape(params[:return_to])}" if params[:return_to]
       redirect_to "#{login_cluster}/login?#{p.join('&')}"
     else
-      if params[:return_to]
-        # Encode remote param inside callback's return_to, so that we'll get it on
-        # create() after login.
-        remote_param = params[:remote].nil? ? '' : params[:remote]
-        p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
-      end
-      redirect_to "/auth/joshid?#{p.join('&')}"
+      # legacy code path, fail?
     end
   end
 
diff --git a/services/api/app/views/layouts/application.html.erb b/services/api/app/views/layouts/application.html.erb
index a99b6f165d..881d1be13b 100644
--- a/services/api/app/views/layouts/application.html.erb
+++ b/services/api/app/views/layouts/application.html.erb
@@ -23,8 +23,6 @@ SPDX-License-Identifier: AGPL-3.0 %>
     <% end %>
     &nbsp;&bull;&nbsp;
     <a class="logout" href="/logout">Log out</a>
-    <% else %>
-      <!--<a class="logout" href="/auth/joshid">Log in</a>-->
     <% end %>
 
     <% if current_user and session[:real_uid] and session[:switch_back_to] and User.find(session[:real_uid].to_i).verify_userswitch_cookie(session[:switch_back_to]) %>
diff --git a/services/api/app/views/static/intro.html.erb b/services/api/app/views/static/intro.html.erb
index bdefaa5c1f..58943038d1 100644
--- a/services/api/app/views/static/intro.html.erb
+++ b/services/api/app/views/static/intro.html.erb
@@ -31,7 +31,7 @@ $(function(){
 
     <% if !current_user %>
     <p style="float:right;margin-top:1em">
-      <a href="/auth/joshid">Log in here.</a>
+      <a href="/login">Log in here.</a>
     </p>
     <% end %>
 
diff --git a/services/api/app/views/user_sessions/failure.html.erb b/services/api/app/views/user_sessions/failure.html.erb
index 81c5be27c6..e8c5b08465 100644
--- a/services/api/app/views/user_sessions/failure.html.erb
+++ b/services/api/app/views/user_sessions/failure.html.erb
@@ -7,4 +7,4 @@ SPDX-License-Identifier: AGPL-3.0 %>
 <%= notice %>
 
 <br/>
-<a href="/auth/joshid">Retry Login</a>
+<a href="/login">Retry Login</a>
diff --git a/services/api/config/environment.rb b/services/api/config/environment.rb
index b82ba27f9a..cd706940a3 100644
--- a/services/api/config/environment.rb
+++ b/services/api/config/environment.rb
@@ -4,7 +4,6 @@
 
 # Load the rails application
 require_relative 'application'
-require 'josh_id'
 
 # Initialize the rails application
 Rails.application.initialize!
diff --git a/services/api/config/initializers/omniauth_init.rb b/services/api/config/initializers/omniauth_init.rb
deleted file mode 100644
index a1b2356bd5..0000000000
--- a/services/api/config/initializers/omniauth_init.rb
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (C) The Arvados Authors. All rights reserved.
-#
-# SPDX-License-Identifier: AGPL-3.0
-
-# This file is called omniauth_init.rb instead of omniauth.rb because
-# older versions had site configuration in omniauth.rb.
-#
-# It must come after omniauth.rb in (lexical) load order.
-
-if defined? CUSTOM_PROVIDER_URL
-  Rails.logger.warn "Copying omniauth from globals in legacy config file."
-  Rails.configuration.Login["SSO"]["ProviderAppID"] = APP_ID
-  Rails.configuration.Login["SSO"]["ProviderAppSecret"] = APP_SECRET
-  Rails.configuration.Services["SSO"]["ExternalURL"] = CUSTOM_PROVIDER_URL.sub(/\/$/, "") + "/"
-else
-  Rails.application.config.middleware.use OmniAuth::Builder do
-    provider(:josh_id,
-             Rails.configuration.Login["SSO"]["ProviderAppID"],
-             Rails.configuration.Login["SSO"]["ProviderAppSecret"],
-             Rails.configuration.Services["SSO"]["ExternalURL"])
-  end
-  OmniAuth.config.on_failure = StaticController.action(:login_failure)
-end
diff --git a/services/api/lib/josh_id.rb b/services/api/lib/josh_id.rb
deleted file mode 100644
index f18c0edda0..0000000000
--- a/services/api/lib/josh_id.rb
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright (C) The Arvados Authors. All rights reserved.
-#
-# SPDX-License-Identifier: AGPL-3.0
-
-require 'omniauth-oauth2'
-module OmniAuth
-  module Strategies
-    class JoshId < OmniAuth::Strategies::OAuth2
-
-      args [:client_id, :client_secret, :custom_provider_url]
-
-      option :custom_provider_url, ''
-
-      uid { raw_info['id'] }
-
-      option :client_options, {}
-
-      info do
-        {
-          :first_name => raw_info['info']['first_name'],
-          :last_name => raw_info['info']['last_name'],
-          :email => raw_info['info']['email'],
-          :identity_url => raw_info['info']['identity_url'],
-          :username => raw_info['info']['username'],
-        }
-      end
-
-      extra do
-        {
-          'raw_info' => raw_info
-        }
-      end
-
-      def authorize_params
-        options.authorize_params[:auth_provider] = request.params['auth_provider']
-        super
-      end
-
-      def client
-        options.client_options[:site] = options[:custom_provider_url]
-        options.client_options[:authorize_url] = "#{options[:custom_provider_url]}/auth/josh_id/authorize"
-        options.client_options[:access_token_url] = "#{options[:custom_provider_url]}/auth/josh_id/access_token"
-        if Rails.configuration.TLS.Insecure
-          options.client_options[:ssl] = {verify_mode: OpenSSL::SSL::VERIFY_NONE}
-        end
-        ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
-      end
-
-      def callback_url
-        full_host + script_name + callback_path + "?return_to=" + CGI.escape(request.params['return_to'] || '')
-      end
-
-      def raw_info
-        @raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
-      end
-    end
-  end
-end