[ARVADOS] created: c4bf3c349264a785a342ad560c6f71792c66b4f8
git at public.curoverse.com
git at public.curoverse.com
Thu Nov 20 17:08:32 EST 2014
at c4bf3c349264a785a342ad560c6f71792c66b4f8 (commit)
commit c4bf3c349264a785a342ad560c6f71792c66b4f8
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Nov 20 17:09:06 2014 -0500
4570: Workbench/API server support for multiple authentication providers on the SSO server.
diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index 0a99d66..5b2311d 100644
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -213,6 +213,7 @@ class ArvadosApiClient
CGI.escape(k.to_s) + '=' + CGI.escape(v.to_s)
}.join('&')
end
+ uri
end
def arvados_logout_url(params={})
diff --git a/apps/workbench/app/views/users/welcome.html.erb b/apps/workbench/app/views/users/welcome.html.erb
index 9cacebd..53b2ab8 100644
--- a/apps/workbench/app/views/users/welcome.html.erb
+++ b/apps/workbench/app/views/users/welcome.html.erb
@@ -23,14 +23,20 @@
</p><p>
<i><%= Rails.configuration.site_name %> uses your name and
- email address only for identification, and does not retrieve
- any other personal information from Google.</i>
+ email address only for identification, and does not retrieve
+ any other personal information from Google.</i>
</p>
<p>
- <%= link_to arvados_api_client.arvados_login_url(return_to: request.url), class: "pull-right btn btn-primary" do %>
- Log in to <%= Rails.configuration.site_name %>
- <i class="fa fa-fw fa-arrow-circle-right"></i>
+ <!-- <%= arvados_api_client.arvados_login_url %> -->
+ <%= form_tag(arvados_api_client.arvados_login_url(), :method => :get, :authenticity_token => false) do %>
+ <%= hidden_field_tag 'return_to', request.url %>
+ <div class="row pull-right">
+ <%= select_tag "auth_method", "<option value='google'>Google OpenID</option><option value='google_oauth2'>Google OAuth2</option>".html_safe, class: "form-control", style: "width: 15em; display: inline" %>
+ <%= button_tag class: "btn btn-primary" do %>
+ Log in to <%= Rails.configuration.site_name %> <i class="fa fa-fw fa-arrow-circle-right"></i>
+ <% end %>
+ </div>
<% end %>
</p>
</div>
diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index 3e79915..3a5be1c 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -99,6 +99,7 @@ class UserSessionsController < ApplicationController
# to save the return_to parameter (if it exists; see the application
# controller). /auth/joshid bypasses the application controller.
def login
+ auth_method = params[:auth_method] || "google"
if current_user and params[:return_to]
# Already logged in; just need to send a token to the requesting
# API client.
@@ -108,9 +109,9 @@ class UserSessionsController < ApplicationController
send_api_token_to(params[:return_to], current_user)
elsif params[:return_to]
- redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}"
+ redirect_to "/auth/joshid?return_to=#{CGI.escape(params[:return_to])}&auth_method=#{CGI.escape(auth_method)}"
else
- redirect_to "/auth/joshid"
+ redirect_to "/auth/joshid?auth_method=#{CGI.escape(auth_method)}"
end
end
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index cc46d04..4396418 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -105,7 +105,7 @@ common:
# silenced by throttling are not counted against this total.
crunch_limit_log_bytes_per_job: 67108864
- # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d),
+ # Path to dns server configuration directory (e.g. /etc/unbound.d/conf.d),
# or false = do not update dns server data.
dns_server_conf_dir: false
@@ -241,3 +241,8 @@ common:
# Default lifetime for ephemeral collections: 2 weeks.
default_trash_lifetime: 1209600
+
+ # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the Single Sign
+ # On (sso) server. Should only be enabled during development when the SSO
+ # server is using a self-signed cert.
+ sso_insecure: false
\ No newline at end of file
diff --git a/services/api/lib/josh_id.rb b/services/api/lib/josh_id.rb
index 25656a9..c0efb51 100644
--- a/services/api/lib/josh_id.rb
+++ b/services/api/lib/josh_id.rb
@@ -25,21 +25,29 @@ module OmniAuth
'raw_info' => raw_info
}
end
-
+
+ def authorize_params
+ options.authorize_params[:auth_method] = request.params['auth_method']
+ super
+ end
+
def client
options.client_options[:site] = options[:custom_provider_url]
options.client_options[:authorize_url] = "#{options[:custom_provider_url]}/auth/josh_id/authorize"
options.client_options[:access_token_url] = "#{options[:custom_provider_url]}/auth/josh_id/access_token"
+ if Rails.configuration.sso_insecure
+ options.client_options[:ssl] = {verify_mode: OpenSSL::SSL::VERIFY_NONE}
+ end
::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
end
def callback_url
- full_host + script_name + callback_path + query_string
+ full_host + script_name + callback_path + "?return_to=" + CGI.escape(request.params['return_to'])
end
def raw_info
@raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
end
- end
+ end
end
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list