Merge pull request #12697 from jvlcek/master_bz1390349_2fa

Support a separate auth URL for external authentication (cherry picked from commit ad93833) https://bugzilla.redhat.com/show_bug.cgi?id=1397091
ManageIQ · Nov 21, 2016 · 686bf6f · 686bf6f
1 parent 0323f78
commit 686bf6f
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 10 deletions.
diff --git a/app/assets/javascripts/miq_application.js b/app/assets/javascripts/miq_application.js
@@ -841,6 +841,27 @@ function miqAjaxAuthSso(url) {
   });
 }
 
+// Send External Authentication via ajax
+function miqAjaxExtAuth(url) {
+  miqEnableLoginFields(false);
+  miqSparkleOn();
+
+  // Note: /dashboard/external_authenticate creates an API token
+  //       based on the authenticated external user
+  //       and stores it in sessionStore.miq_token
+
+  var credentials = {
+    login: $('#user_name').val(),
+    password: $('#user_password').val(),
+    serialized: miqSerializeForm('login_div'),
+  }
+
+  miqJqueryRequest(url || '/dashboard/external_authenticate', {
+    beforeSend: true,
+    data: credentials.serialized,
+  });
+}
+
 // add a flash message to an existing #flash_msg_div
 // levels are error, warning, info, success
 function add_flash(msg, level, options) {

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
@@ -1,10 +1,12 @@
 class DashboardController < ApplicationController
   @@items_per_page = 8
 
-  before_action :check_privileges, :except => [:csp_report, :authenticate, :kerberos_authenticate,
+  before_action :check_privileges, :except => [:csp_report, :authenticate,
+                                               :external_authenticate, :kerberos_authenticate,
                                                :logout, :login, :login_retry, :wait_for_task,
                                                :saml_login, :initiate_saml_login]
-  before_action :get_session_data, :except => [:csp_report, :authenticate, :kerberos_authenticate, :saml_login]
+  before_action :get_session_data, :except => [:csp_report, :authenticate,
+                                               :external_authenticate, :kerberos_authenticate, :saml_login]
   after_action :cleanup_action,    :except => [:csp_report]
   after_action :set_session_data,  :except => [:csp_report]
 
@@ -402,13 +404,14 @@ def saml_login
     end
   end
 
+  # Handle external-auth signon from login screen
+  def external_authenticate
+    authenticate_external_user_generate_api_token
+  end
+
   # Handle single-signon from login screen
   def kerberos_authenticate
-    if @user_name.blank? && request.headers["X-Remote-User"].present?
-      @user_name = params[:user_name] = request.headers["X-Remote-User"].split("@").first
-    end
-
-    authenticate(true)
+    authenticate_external_user_generate_api_token
   end
 
   # Handle user credentials from login screen
@@ -598,6 +601,15 @@ def auth_error
 
   private
 
+  # Authenticate external user and generate API token
+  def authenticate_external_user_generate_api_token
+    if @user_name.blank? && request.headers["X-Remote-User"].present?
+      @user_name = params[:user_name] = request.headers["X-Remote-User"].split("@").first
+    end
+
+    authenticate(true)
+  end
+
   def tl_toggle_button_enablement(button_id, enablement, typ)
     if enablement == :enabled
       tooltip = _("Download this Timeline data in %{typ} format") % {:typ => typ}

diff --git a/app/views/dashboard/login.html.haml b/app/views/dashboard/login.html.haml
@@ -49,15 +49,15 @@
             = text_field_tag('user_name', @user_name,
                              :class => "form-control",
                              :placeholder => _('Username'),
-                             :onkeypress => "if (miqEnterPressed(event)) miqAjaxAuth();")
+                             :onkeypress => ext_auth? ? "if (miqEnterPressed(event)) miqAjaxExtAuth();" : "if (miqEnterPressed(event)) miqAjaxAuth();")
             = javascript_tag(javascript_focus('user_name'))
 
         .form-group
           %label.col-md-3.control-label= _('Password')
           .col-md-9
             = password_field_tag('user_password',
               @user_password,
-              :onkeypress => "if (miqEnterPressed(event)) miqAjaxAuth();",
+              :onkeypress => ext_auth? ? "if (miqEnterPressed(event)) miqAjaxExtAuth();" : "if (miqEnterPressed(event)) miqAjaxAuth();",
               :autocomplete => "off",
               :placeholder => (auth_mode == "httpd" ? _('Password or Password+One-Time-Password') : _('Password')),
               :class => "form-control")
@@ -98,7 +98,7 @@
                       :class                => "btn btn-primary",
                       :alt                  => _("Login"),
                       :title                => _("Login"),
-                      :onclick              => "miqAjaxAuth('#{j login_url}'); return false;")
+                      :onclick              => ext_auth? ? "miqAjaxExtAuth(); return false;" : "miqAjaxAuth('#{j login_url}'); return false;")
 
             = link_to(_("SSO Login"), '',
                       :id                    => "sso_login",

diff --git a/config/routes.rb b/config/routes.rb
@@ -982,6 +982,7 @@
         widget_to_pdf
       ),
       :post => %w(
+        external_authenticate
         kerberos_authenticate
         initiate_saml_login
         authenticate