diff --git a/app/controllers/rs/oauth_controller.rb b/app/controllers/rs/oauth_controller.rb index 67a2beb..6d9d537 100644 --- a/app/controllers/rs/oauth_controller.rb +++ b/app/controllers/rs/oauth_controller.rb @@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController before_action :authenticate_user!, only: :create def new - username, org = params[:useraddress].split("@") - @user = User.where(cn: username.downcase, ou: org).first + @user = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first @scopes = parse_scopes params[:scope] @redirect_uri = params[:redirect_uri] @client_id = params[:client_id] @@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController unless current_user == @user sign_out :user - redirect_to new_rs_oauth_url(@user.address, + redirect_to new_rs_oauth_url(@user.cn, scope: params[:scope], redirect_uri: params[:redirect_uri], client_id: params[:client_id], @@ -107,9 +106,8 @@ class Rs::OauthController < ApplicationController def require_signed_in_with_username unless user_signed_in? - username, org = params[:useraddress].split("@") session[:user_return_to] = request.url - redirect_to new_user_session_path(cn: username, ou: org) + redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain) end end diff --git a/app/controllers/webfinger_controller.rb b/app/controllers/webfinger_controller.rb index 5cf4012..fbc1bcb 100644 --- a/app/controllers/webfinger_controller.rb +++ b/app/controllers/webfinger_controller.rb @@ -6,15 +6,19 @@ class WebfingerController < ApplicationController def show resource = params[:resource] - if resource && resource.match(/acct:\w+/) - useraddress = resource.split(":").last - username, org = useraddress.split("@") - username.downcase! - unless User.where(cn: username, ou: org).any? + if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1) + @username, @org = @useraddress.split("@") + + unless Rails.env.development? + # Allow different domains (e.g. localhost:3000) in development only + head 404 and return unless @org == Setting.primary_domain + end + + unless User.where(cn: @username.downcase, ou: Setting.primary_domain).any? head 404 and return end - render json: webfinger(useraddress).to_json, + render json: webfinger.to_json, content_type: "application/jrd+json" else head 422 and return @@ -23,19 +27,18 @@ class WebfingerController < ApplicationController private - def webfinger(useraddress) + def webfinger links = []; - links << remotestorage_link(useraddress) if Setting.remotestorage_enabled + # TODO check if storage service is enabled for user, not just globally + links << remotestorage_link if Setting.remotestorage_enabled { "links" => links } end - def remotestorage_link(useraddress) - # TODO use when OAuth routes are available - # auth_url = new_rs_oauth_url(useraddress) - auth_url = "https://example.com/rs/oauth" - storage_url = "#{Setting.rs_storage_url}/#{useraddress}" + def remotestorage_link + auth_url = new_rs_oauth_url("#{@username}@#{Setting.primary_domain}") + storage_url = "#{Setting.rs_storage_url}/#{@username}" { "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage", diff --git a/config/routes.rb b/config/routes.rb index 785b7a2..6e8968c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -78,8 +78,8 @@ Rails.application.routes.draw do namespace :rs do resource :oauth, only: [:new, :create], path_names: { - new: ':useraddress', create: ':useraddress' - }, controller: 'oauth', constraints: { useraddress: /[^\/]+/} + new: ':username', create: ':username' + }, controller: 'oauth' get 'oauth/token/:id/launch_app' => 'oauth#launch_app', as: :launch_app end diff --git a/docker-compose.yml b/docker-compose.yml index 3690616..1632c44 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -69,6 +69,23 @@ services: - ldap - redis + liquor-cabinet: + image: gitea.kosmos.org/5apps/liquor-cabinet:latest + networks: + - external_network + - internal_network + ports: + - "4567:4567" + environment: + REDIS_HOST: redis + REDIS_PORT: 6379 + REDIS_DB: 2 + S3_ENDPOINT: https://garage + S3_REGION: garage + S3_ACCESS_KEY: + S3_SECRET_KEY: + S3_BUCKET: + # phpldapadmin: # image: osixia/phpldapadmin:0.9.0 # ports: diff --git a/spec/controllers/rs/oauth_controller_spec.rb b/spec/controllers/rs/oauth_controller_spec.rb index 48ca14b..c80e427 100644 --- a/spec/controllers/rs/oauth_controller_spec.rb +++ b/spec/controllers/rs/oauth_controller_spec.rb @@ -3,7 +3,11 @@ require 'rails_helper' RSpec.describe Rs::OauthController, type: :controller do let(:user) { create :user } - describe "GET /rs/oauth/:useraddress" do + before do + allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true) + end + + describe "GET /rs/oauth/:username" do context "when user is signed in" do before do sign_in user @@ -14,7 +18,7 @@ RSpec.describe Rs::OauthController, type: :controller do before do get :new, params: { - useraddress: other_user.address, + username: other_user.cn, redirect_uri: "https://example.com", client_id: "example.com", scope: "examples" @@ -22,7 +26,7 @@ RSpec.describe Rs::OauthController, type: :controller do end it "logs out the users and repeats the request" do - url = new_rs_oauth_url other_user.address, + url = new_rs_oauth_url other_user.cn, redirect_uri: "https://example.com", client_id: "example.com", scope: "examples" @@ -34,7 +38,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "when no valid token exists" do before do get :new, params: { - useraddress: user.address, + username: user.cn, redirect_uri: "https://example.com", client_id: "example.com", scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", @@ -61,7 +65,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "no redirect_uri" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", client_id: "https://example.com" } @@ -75,7 +79,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "no client_id" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://example.com" } @@ -89,7 +93,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "different host for client_id and redirect_uri" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://example.com/foobar", client_id: "https://google.com" @@ -116,7 +120,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "with same host for client_id and redirect_uri" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://example.com", client_id: "https://example.com" @@ -131,7 +135,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "with different host for client_id and redirect_uri" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://app.example.com", client_id: "https://example.com" @@ -146,7 +150,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "with different redirect_uri" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://example.com/a_new_route", client_id: "https://example.com" @@ -161,7 +165,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "with state param given" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,[photos], contacts:rw videos:r tasks/work/:r", redirect_uri: "https://example.com", client_id: "https://example.com", @@ -178,7 +182,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "no scope" do before do get :new, params: { - useraddress: user.address, + username: user.cn, redirect_uri: "https://example.com", client_id: "https://example.com", state: "foobar123" @@ -193,7 +197,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "empty scope" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "", redirect_uri: "https://example.com", client_id: "https://example.com", @@ -210,7 +214,7 @@ RSpec.describe Rs::OauthController, type: :controller do context "when user is not signed in" do it "redirects to the signin page with username pre-filled" do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "documents,photos", redirect_uri: "https://example.com" } @@ -227,7 +231,7 @@ RSpec.describe Rs::OauthController, type: :controller do describe "full" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "*:rw", redirect_uri: "https://example.com", client_id: "example.com" @@ -243,7 +247,7 @@ RSpec.describe Rs::OauthController, type: :controller do describe "read-only" do before do get :new, params: { - useraddress: user.address, + username: user.cn, scope: "*:r", redirect_uri: "https://example.com", client_id: "example.com" @@ -258,7 +262,7 @@ RSpec.describe Rs::OauthController, type: :controller do end end - describe "POST /rs/oauth/:useraddress" do + describe "POST /rs/oauth/:username" do context "when user is signed in" do before do sign_in user diff --git a/spec/features/rs/oauth_spec.rb b/spec/features/rs/oauth_spec.rb index a68556f..9e499b8 100644 --- a/spec/features/rs/oauth_spec.rb +++ b/spec/features/rs/oauth_spec.rb @@ -10,7 +10,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do context "with normal permissions" do before do - visit new_rs_oauth_path(useraddress: user.address, + visit new_rs_oauth_path(username: user.cn, redirect_uri: "http://example.com", client_id: "http://example.com", scope: "documents,[photos], contacts:r") @@ -36,7 +36,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do context "root access" do context "full" do before do - visit new_rs_oauth_path(useraddress: user.address, + visit new_rs_oauth_path(username: user.cn, redirect_uri: "http://example.com", client_id: "http://example.com", scope: ":rw") @@ -60,7 +60,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do end it "prefills the username field in the signin form" do - visit new_rs_oauth_path(useraddress: user.address, + visit new_rs_oauth_path(username: user.cn, redirect_uri: "http://example.com", client_id: "http://example.com", scope: "documents,[photos], contacts:r") @@ -69,7 +69,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do end it "redirects to the OAuth dialog after sign-in" do - auth_url = new_rs_oauth_url(useraddress: user.address, + auth_url = new_rs_oauth_url(username: user.cn, redirect_uri: "http://example.com", client_id: "http://example.com", scope: "documents,[photos], contacts:r") diff --git a/spec/requests/webfinger_spec.rb b/spec/requests/webfinger_spec.rb index f944a7a..9d0ae57 100644 --- a/spec/requests/webfinger_spec.rb +++ b/spec/requests/webfinger_spec.rb @@ -15,10 +15,10 @@ RSpec.describe "WebFinger", type: :request do res = JSON.parse(response.body) rs_link = res["links"].find {|l| l["rel"] == "http://tools.ietf.org/id/draft-dejong-remotestorage"} - expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony@kosmos.org") + expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony") oauth_url = rs_link["properties"]["http://tools.ietf.org/html/rfc6749#section-4.2"] - expect(oauth_url).to eql("https://example.com/rs/oauth") + expect(oauth_url).to eql("http://www.example.com/rs/oauth/tony@kosmos.org") end end