From c4bf3c349264a785a342ad560c6f71792c66b4f8 Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Thu, 20 Nov 2014 17:09:06 -0500 Subject: [PATCH] 4570: Workbench/API server support for multiple authentication providers on the SSO server. --- apps/workbench/app/models/arvados_api_client.rb | 1 + apps/workbench/app/views/users/welcome.html.erb | 16 +++++++++++----- .../app/controllers/user_sessions_controller.rb | 5 +++-- services/api/config/application.default.yml | 7 ++++++- services/api/lib/josh_id.rb | 14 +++++++++++--- 5 files changed, 32 insertions(+), 11 deletions(-) diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb index 0a99d662cb..5b2311dce9 100644 --- a/apps/workbench/app/models/arvados_api_client.rb +++ b/apps/workbench/app/models/arvados_api_client.rb @@ -213,6 +213,7 @@ class ArvadosApiClient CGI.escape(k.to_s) + '=' + CGI.escape(v.to_s) }.join('&') end + uri end def arvados_logout_url(params={}) diff --git a/apps/workbench/app/views/users/welcome.html.erb b/apps/workbench/app/views/users/welcome.html.erb index 9cacebda02..53b2ab8bb2 100644 --- a/apps/workbench/app/views/users/welcome.html.erb +++ b/apps/workbench/app/views/users/welcome.html.erb @@ -23,14 +23,20 @@

<%= Rails.configuration.site_name %> uses your name and - email address only for identification, and does not retrieve - any other personal information from Google. + email address only for identification, and does not retrieve + any other personal information from Google.

- <%= link_to arvados_api_client.arvados_login_url(return_to: request.url), class: "pull-right btn btn-primary" do %> - Log in to <%= Rails.configuration.site_name %> - + + <%= form_tag(arvados_api_client.arvados_login_url(), :method => :get, :authenticity_token => false) do %> + <%= hidden_field_tag 'return_to', request.url %> +

+ <%= select_tag "auth_method", "".html_safe, class: "form-control", style: "width: 15em; display: inline" %> + <%= button_tag class: "btn btn-primary" do %> + Log in to <%= Rails.configuration.site_name %> + <% end %> +
<% end %>

diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 3e79915f3c..3a5be1c7e1 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -99,6 +99,7 @@ class UserSessionsController < ApplicationController # to save the return_to parameter (if it exists; see the application # controller). /auth/joshid bypasses the application controller. def login + auth_method = params[:auth_method] || "google" if current_user and params[:return_to] # Already logged in; just need to send a token to the requesting # API client. @@ -108,9 +109,9 @@ class UserSessionsController < ApplicationController send_api_token_to(params[:return_to], current_user) elsif params[:return_to] - redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}" + redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&auth_method=#{CGI.escape(auth_method)}" else - redirect_to "/auth/joshid" + redirect_to "/auth/joshid?auth_method=#{CGI.escape(auth_method)}" end end diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml index cc46d042b2..4396418dfb 100644 --- a/services/api/config/application.default.yml +++ b/services/api/config/application.default.yml @@ -105,7 +105,7 @@ common: # silenced by throttling are not counted against this total. crunch_limit_log_bytes_per_job: 67108864 - # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d), + # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d), # or false = do not update dns server data. dns_server_conf_dir: false @@ -241,3 +241,8 @@ common: # Default lifetime for ephemeral collections: 2 weeks. default_trash_lifetime: 1209600 + + # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the Single Sign + # On (sso) server. Should only be enabled during development when the SSO + # server is using a self-signed cert. + sso_insecure: false \ No newline at end of file diff --git a/services/api/lib/josh_id.rb b/services/api/lib/josh_id.rb index 25656a9781..c0efb512b4 100644 --- a/services/api/lib/josh_id.rb +++ b/services/api/lib/josh_id.rb @@ -25,21 +25,29 @@ module OmniAuth 'raw_info' => raw_info } end - + + def authorize_params + options.authorize_params[:auth_method] = request.params['auth_method'] + super + end + def client options.client_options[:site] = options[:custom_provider_url] options.client_options[:authorize_url] = "#{options[:custom_provider_url]}/auth/josh_id/authorize" options.client_options[:access_token_url] = "#{options[:custom_provider_url]}/auth/josh_id/access_token" + if Rails.configuration.sso_insecure + options.client_options[:ssl] = {verify_mode: OpenSSL::SSL::VERIFY_NONE} + end ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options)) end def callback_url - full_host + script_name + callback_path + query_string + full_host + script_name + callback_path + "?return_to=" + CGI.escape(request.params['return_to']) end def raw_info @raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed end - end + end end end -- 2.30.2