From c4bf3c349264a785a342ad560c6f71792c66b4f8 Mon Sep 17 00:00:00 2001
From: Peter Amstutz
Date: Thu, 20 Nov 2014 17:09:06 -0500
Subject: [PATCH] 4570: Workbench/API server support for multiple
authentication providers on the SSO server.
---
apps/workbench/app/models/arvados_api_client.rb | 1 +
apps/workbench/app/views/users/welcome.html.erb | 16 +++++++++++-----
.../app/controllers/user_sessions_controller.rb | 5 +++--
services/api/config/application.default.yml | 7 ++++++-
services/api/lib/josh_id.rb | 14 +++++++++++---
5 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index 0a99d662cb..5b2311dce9 100644
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -213,6 +213,7 @@ class ArvadosApiClient
CGI.escape(k.to_s) + '=' + CGI.escape(v.to_s)
}.join('&')
end
+ uri
end
def arvados_logout_url(params={})
diff --git a/apps/workbench/app/views/users/welcome.html.erb b/apps/workbench/app/views/users/welcome.html.erb
index 9cacebda02..53b2ab8bb2 100644
--- a/apps/workbench/app/views/users/welcome.html.erb
+++ b/apps/workbench/app/views/users/welcome.html.erb
@@ -23,14 +23,20 @@
<%= Rails.configuration.site_name %> uses your name and
- email address only for identification, and does not retrieve
- any other personal information from Google.
+ email address only for identification, and does not retrieve
+ any other personal information from Google.
- <%= link_to arvados_api_client.arvados_login_url(return_to: request.url), class: "pull-right btn btn-primary" do %>
- Log in to <%= Rails.configuration.site_name %>
-
+
+ <%= form_tag(arvados_api_client.arvados_login_url(), :method => :get, :authenticity_token => false) do %>
+ <%= hidden_field_tag 'return_to', request.url %>
+
+ <%= select_tag "auth_method", "".html_safe, class: "form-control", style: "width: 15em; display: inline" %>
+ <%= button_tag class: "btn btn-primary" do %>
+ Log in to <%= Rails.configuration.site_name %>
+ <% end %>
+
<% end %>
diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 3e79915f3c..3a5be1c7e1 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -99,6 +99,7 @@ class UserSessionsController < ApplicationController
# to save the return_to parameter (if it exists; see the application
# controller). /auth/joshid bypasses the application controller.
def login
+ auth_method = params[:auth_method] || "google"
if current_user and params[:return_to]
# Already logged in; just need to send a token to the requesting
# API client.
@@ -108,9 +109,9 @@ class UserSessionsController < ApplicationController
send_api_token_to(params[:return_to], current_user)
elsif params[:return_to]
- redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}"
+ redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&auth_method=#{CGI.escape(auth_method)}"
else
- redirect_to "/auth/joshid"
+ redirect_to "/auth/joshid?auth_method=#{CGI.escape(auth_method)}"
end
end
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index cc46d042b2..4396418dfb 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -105,7 +105,7 @@ common:
# silenced by throttling are not counted against this total.
crunch_limit_log_bytes_per_job: 67108864
- # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d),
+ # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d),
# or false = do not update dns server data.
dns_server_conf_dir: false
@@ -241,3 +241,8 @@ common:
# Default lifetime for ephemeral collections: 2 weeks.
default_trash_lifetime: 1209600
+
+ # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the Single Sign
+ # On (sso) server. Should only be enabled during development when the SSO
+ # server is using a self-signed cert.
+ sso_insecure: false
\ No newline at end of file
diff --git a/services/api/lib/josh_id.rb b/services/api/lib/josh_id.rb
index 25656a9781..c0efb512b4 100644
--- a/services/api/lib/josh_id.rb
+++ b/services/api/lib/josh_id.rb
@@ -25,21 +25,29 @@ module OmniAuth
'raw_info' => raw_info
}
end
-
+
+ def authorize_params
+ options.authorize_params[:auth_method] = request.params['auth_method']
+ super
+ end
+
def client
options.client_options[:site] = options[:custom_provider_url]
options.client_options[:authorize_url] = "#{options[:custom_provider_url]}/auth/josh_id/authorize"
options.client_options[:access_token_url] = "#{options[:custom_provider_url]}/auth/josh_id/access_token"
+ if Rails.configuration.sso_insecure
+ options.client_options[:ssl] = {verify_mode: OpenSSL::SSL::VERIFY_NONE}
+ end
::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
end
def callback_url
- full_host + script_name + callback_path + query_string
+ full_host + script_name + callback_path + "?return_to=" + CGI.escape(request.params['return_to'])
end
def raw_info
@raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
end
- end
+ end
end
end
--
2.30.2