Remove the API token generation from external login

ManageIQ · Jan 17, 2019 · 92f7a7a · 92f7a7a
1 parent 361c209
commit 92f7a7a
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 24 deletions.
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
@@ -507,16 +507,16 @@ def saml_login
 
   # Handle external-auth signon from login screen
   def external_authenticate
-    authenticate_external_user_generate_api_token
+    authenticate_external_user
   end
 
   # Handle single-signon from login screen
   def kerberos_authenticate
-    authenticate_external_user_generate_api_token
+    authenticate_external_user
   end
 
   # Handle user credentials from login screen
-  def authenticate(require_api_token = false)
+  def authenticate
     @layout = "dashboard"
 
     unless params[:task_id] # First time thru, check for buttons pressed
@@ -566,10 +566,8 @@ def authenticate(require_api_token = false)
     when :wait_for_task
       # noop, page content already set by initiate_wait_for_task
     when :pass
-      miq_api_token = require_api_token ? generate_ui_api_token(user[:name]) : nil
       render :update do |page|
         page << javascript_prologue
-        page << "localStorage.miq_token = '#{j_str(miq_api_token)}';" if miq_api_token
         page.redirect_to(validation.url)
       end
     when :fail
@@ -585,11 +583,6 @@ def authenticate(require_api_token = false)
     end
   end
 
-  def generate_ui_api_token(userid)
-    @api_user_token_service ||= Api::UserTokenService.new
-    @api_user_token_service.generate_token(userid, "ui")
-  end
-
   def timeline
     @breadcrumbs = []
     @layout      = "timeline"
@@ -746,13 +739,12 @@ def session_init(db_user)
 
   private
 
-  # Authenticate external user and generate API token
-  def authenticate_external_user_generate_api_token
+  def authenticate_external_user
     if @user_name.blank? && request.headers["X-Remote-User"].present?
       @user_name = params[:user_name] = request.headers["X-Remote-User"].split("@").first
     end
 
-    authenticate(true)
+    authenticate
   end
 
   def tl_toggle_button_enablement(button_id, enablement, typ)
@@ -864,8 +856,7 @@ def identity_provider_login(identity_type)
     when :pass
       render :template => "dashboard/#{identity_type}",
              :layout   => false,
-             :locals   => {:api_auth_token => generate_ui_api_token(@user_name),
-                           :validation_url => validation.url}
+             :locals   => {:validation_url => validation.url}
       return
     when :fail
       session[:user_validation_error] = validation.flash_msg || "User validation failed"

diff --git a/app/views/dashboard/oidc_login.html.haml b/app/views/dashboard/oidc_login.html.haml
@@ -5,10 +5,9 @@
     = javascript_include_tag 'application'
 
   %body
-    - if api_auth_token && validation_url
+    - if validation_url
       :javascript
         miqFlashClearSaved();
-        localStorage.miq_token = '#{j_str api_auth_token}';
         window.location = '#{j_str validation_url}';
     - else
       :javascript

diff --git a/app/views/dashboard/saml_login.html.haml b/app/views/dashboard/saml_login.html.haml
@@ -6,10 +6,9 @@
     = javascript_include_tag 'application'
 
   %body
-    - if api_auth_token && validation_url
+    - if validation_url
       :javascript
         miqFlashClearSaved();
-        localStorage.miq_token = '#{j_str api_auth_token}';
         window.location = '#{j_str validation_url}';
     - else
       :javascript

diff --git a/spec/controllers/dashboard_controller_spec.rb b/spec/controllers/dashboard_controller_spec.rb
@@ -117,21 +117,17 @@
     %i(saml oidc).each do |protocol|
       it "#{protocol.upcase} protected page should render the #{protocol}_login page with the proper validation_url and api token" do
         user           = FactoryBot.create(:user, :userid => "johndoe", :role => "test")
-        auth_token     = "aabbccddeeff"
         validation_url = "/user_validation_url"
 
         request.env["HTTP_X_REMOTE_USER"] = user.userid
         skip_data_checks(validation_url)
 
         allow(User).to receive(:authenticate).and_return(user)
-        allow_any_instance_of(Api::UserTokenService).to receive(:generate_token)
-          .with(user.userid, "ui")
-          .and_return(auth_token)
 
         expect(controller).to receive(:render)
           .with(:template => "dashboard/#{protocol}_login",
                 :layout   => false,
-                :locals   => {:api_auth_token => auth_token, :validation_url => validation_url})
+                :locals   => {:validation_url => validation_url})
           .exactly(1).times
 
         controller.send("#{protocol}_login")
@@ -505,6 +501,15 @@
     end
   end
 
+  describe '#authenticate_external_user' do
+    it 'sets the user name based on the header' do
+      allow(controller).to receive(:authenticate)
+      request.headers['X-Remote-User'] = 'foo@bar'
+      controller.send(:authenticate_external_user)
+      expect(assigns(:user_name)).to eq('foo')
+    end
+  end
+
   def skip_data_checks(url = '/')
     allow_any_instance_of(UserValidationService).to receive(:server_ready?).and_return(true)
     allow(controller).to receive(:start_url_for_user).and_return(url)