Updated cloud_controller that returns UAA tokens

for filtered email addresses Updated gem md5: fed9927968957574e8002ac9b8f67997 Bumped the uaa submodule pointer Tested on dev_setup and bosh. Change-Id: I95765c7a969c8ad1efb9fb40e24b70591ec6c984
2012-04-07 07:55:51 -07:00 · 2012-04-07 07:55:51 -07:00 · 2d9be87a6d
--- a/cloud_controller/Gemfile
+++ b/cloud_controller/Gemfile
@ -9,7 +9,7 @@ gem 'nats', :require => 'nats/client'
 gem 'vcap_common', :require => ['vcap/common', 'vcap/component']
 gem 'vcap_logging', :require => ['vcap/logging']
 gem 'vcap_staging', '~> 0.1.50'
-gem 'cf-uaa-client', '>= 0.0.6'
+gem 'cf-uaa-client', '>= 0.0.8'

 # For queuing staging tasks
 gem 'em-hiredis'
--- a/cloud_controller/Gemfile.lock
+++ b/cloud_controller/Gemfile.lock
@ -33,7 +33,7 @@ GEM
    arel (2.0.9)
    bcrypt-ruby (2.1.4)
    builder (2.1.2)
-    cf-uaa-client (0.0.6)
+    cf-uaa-client (0.0.8)
      em-http-request (= 1.0.0.beta.3)
      eventmachine
      json_pure
@ -154,7 +154,7 @@ PLATFORMS
 DEPENDENCIES
  SystemTimer (~> 1.2)
  bcrypt-ruby (~> 2.1.4)
-  cf-uaa-client (>= 0.0.6)
+  cf-uaa-client (>= 0.0.8)
  ci_reporter
  delorean
  em-hiredis
--- a/cloud_controller/app/controllers/default_controller.rb
+++ b/cloud_controller/app/controllers/default_controller.rb
@ -12,7 +12,6 @@ class DefaultController < ApplicationController
    }
    if uaa_enabled?
      info[:authorization_endpoint] = AppConfig[:uaa][:url]
-      info[:authenticationEndpoint] = AppConfig[:uaa][:url] # obsolete, can be removed after this release
    end
    # If there is a logged in user, give out additional information
    if user
--- a/cloud_controller/app/controllers/user_tokens_controller.rb
+++ b/cloud_controller/app/controllers/user_tokens_controller.rb
@ -2,6 +2,7 @@ class UserTokensController < ApplicationController

  def create
    email = params['email']
+    CloudController.logger.debug("Login request from #{email}")
    password = body_params[:password]
    if ::User.valid_login?(email, password) || (@current_user && @current_user.admin?)
      # This could just check the ::User.admins variable, but using this method to support changes in admin? in the future
@ -11,7 +12,28 @@ class UserTokensController < ApplicationController
        raise CloudError.new(CloudError::HTTPS_REQUIRED) unless request_https?
      end

-      token = UserToken.create(email)
+      token = nil
+      if uaa_enabled?
+        begin
+          email_filter = AppConfig[:uaa][:token_creation_email_filter]
+          if !email_filter.nil? && email_filter.kind_of?(Array) && email_filter.size() > 0
+            # We would like to have a filter like "vmware.com$|emc.com$"
+            match_phrase = email_filter.size() == 1 ? "#{email_filter[0]}$" : email_filter.reduce{|e, n| e.end_with?("$") ? "#{e}|#{n}$" : "#{e}$|#{n}$"}
+            unless email.match(match_phrase).nil?
+              # Call the uaa to issue a token
+              token = Yajl::Encoder.encode({"token" => UaaToken.id_token(email, password)})
+            end
+          end
+        rescue => e
+          CloudController.logger.error("Failed to fetch a login token from the uaa. email #{email} #{e.message}")
+          # Swallow the exception. If the token fetch from the uaa fails, return the old style token
+        end
+      end
+
+      if token.nil?
+        token = UserToken.create(email)
+      end
+      CloudController.logger.debug("Login request from #{email} token #{token.inspect}")
      render :json => token
    else
      raise CloudError.new(CloudError::FORBIDDEN)
--- a/cloud_controller/app/controllers/users_controller.rb
+++ b/cloud_controller/app/controllers/users_controller.rb
@ -9,7 +9,7 @@ class UsersController < ApplicationController
  def create
    if uaa_enabled?
      begin
-        user_account = Cloudfoundry::Uaa::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
+        user_account = CF::UAA::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
        user_account.async = true
        user_account.trace = true
        user_account.logger = CloudController.logger
@ -34,7 +34,7 @@ class UsersController < ApplicationController
  def delete
    if uaa_enabled?
      begin
-        user_account = Cloudfoundry::Uaa::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
+        user_account = CF::UAA::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
        user_account.async = true
        user_account.trace = true
        user_account.logger = CloudController.logger
@ -68,7 +68,7 @@ class UsersController < ApplicationController
  def update
    if uaa_enabled?
      begin
-        user_account = Cloudfoundry::Uaa::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
+        user_account = CF::UAA::UserAccount.new(AppConfig[:uaa][:url], UaaToken.access_token)
        user_account.async = true
        user_account.trace = true
        user_account.logger = CloudController.logger
--- a/cloud_controller/app/models/uaa_token.rb
+++ b/cloud_controller/app/models/uaa_token.rb
@ -3,14 +3,18 @@ require "uaa/token_issuer"

 class UaaToken

-  @uaa_token_coder ||= Cloudfoundry::Uaa::TokenCoder.new(AppConfig[:uaa][:resource_id],
+  @uaa_token_coder ||= CF::UAA::TokenCoder.new(AppConfig[:uaa][:resource_id],
                                                         AppConfig[:uaa][:token_secret])

-  @token_issuer ||= Cloudfoundry::Uaa::TokenIssuer.new(AppConfig[:uaa][:url],
+  @token_issuer ||= CF::UAA::TokenIssuer.new(AppConfig[:uaa][:url],
                                                       AppConfig[:uaa][:resource_id],
                                                       AppConfig[:uaa][:client_secret],
-                                                       "read write password",
-                                                       nil)
+                                                       "read write password")
+
+  @id_token_issuer ||= CF::UAA::TokenIssuer.new(AppConfig[:uaa][:url],
+                                                       "vmc",
+                                                       nil,
+                                                       "read")

  class << self

@ -37,7 +41,7 @@ class UaaToken
    end

    def expired?(access_token)
-      expiry = Cloudfoundry::Uaa::TokenCoder.decode(access_token.split()[1], AppConfig[:uaa][:token_secret])[:expires_at]
+      expiry = CF::UAA::TokenCoder.decode(access_token.split()[1], AppConfig[:uaa][:token_secret])[:expires_at]
      expiry.is_a?(Integer) && expiry <= Time.now.to_i
    end

@ -47,12 +51,21 @@ class UaaToken
        @token_issuer.async = true
        @token_issuer.trace = true
        @token_issuer.logger = CloudController.logger
-        @access_token = @token_issuer.client_credentials_grant()
+        @access_token = @token_issuer.client_credentials_grant().auth_header
      end
      CloudController.logger.debug("access_token #{@access_token}")
      @access_token
    end

+    def id_token(email, password)
+      @id_token_issuer.async = true
+      @id_token_issuer.trace = true
+      @id_token_issuer.logger = CloudController.logger
+      id_token = @id_token_issuer.implicit_grant(username: email, password: password).auth_header
+      CloudController.logger.debug("id_token #{id_token}")
+      id_token
+    end
+
  end

 end
--- a/cloud_controller/config/cloud_controller.yml
+++ b/cloud_controller/config/cloud_controller.yml
@ -99,6 +99,7 @@ uaa:
  resource_id: cloud_controller
  token_secret: tokensecret
  client_secret: cloudcontrollerclientsecret
+  token_creation_email_filter: [vmware.com, rbcon.com]

 # App staging parameters
 staging:
--- a/cloud_controller/spec/support/cloud_spec_helpers.rb
+++ b/cloud_controller/spec/support/cloud_spec_helpers.rb
@ -38,8 +38,8 @@ module CloudSpecHelpers
      email = User === user ? user.email : user.to_s
      if @@use_jwt_token
        token_body = {"resource_ids" => ["cloud_controller"], "foo" => "bar", "email" => email}
-        token_coder = Cloudfoundry::Uaa::TokenCoder.new(AppConfig[:uaa][:resource_id],
-                                                        AppConfig[:uaa][:token_secret])
+        token_coder = CF::UAA::TokenCoder.new(AppConfig[:uaa][:resource_id],
+                                              AppConfig[:uaa][:token_secret])
        token = token_coder.encode(token_body)
        AppConfig[:uaa][:enabled] = true
        headers['HTTP_AUTHORIZATION'] = "bearer #{token}"
--- a/cloud_controller/vendor/cache/cf-uaa-client-0.0.6.gem
+++ b/cloud_controller/vendor/cache/cf-uaa-client-0.0.6.gem
--- a/cloud_controller/vendor/cache/cf-uaa-client-0.0.8.gem
+++ b/cloud_controller/vendor/cache/cf-uaa-client-0.0.8.gem
--- a/dev_setup/cookbooks/cloud_controller/templates/default/cloud_controller.yml.erb
+++ b/dev_setup/cookbooks/cloud_controller/templates/default/cloud_controller.yml.erb
@ -81,6 +81,7 @@ uaa:
  resource_id: cloud_controller
  token_secret: <%= node[:uaa][:jwt_secret] %>
  client_secret: <%= node[:uaa][:cloud_controller][:password] %>
+  token_creation_email_filter: [vmware.com, rbcon.com]

 # App staging parameters
 staging:
--- a/health_manager/Gemfile
+++ b/health_manager/Gemfile
@ -12,7 +12,7 @@ gem 'yajl-ruby', :require => ['yajl', 'yajl/json_gem']

 gem 'vcap_common', '>= 1.0.10'
 gem 'vcap_logging', :require => ['vcap/logging']
-gem 'cf-uaa-client', '>= 0.0.6'
+gem 'cf-uaa-client', '>= 0.0.8'

 group :test do
  gem "rspec"
--- a/health_manager/Gemfile.lock
+++ b/health_manager/Gemfile.lock
@ -3,7 +3,7 @@ GEM
  specs:
    addressable (2.2.6)
    builder (3.0.0)
-    cf-uaa-client (0.0.6)
+    cf-uaa-client (0.0.8)
      em-http-request (= 1.0.0.beta.3)
      eventmachine
      json_pure
@ -61,7 +61,7 @@ PLATFORMS

 DEPENDENCIES
  bundler (>= 1.0.10)
-  cf-uaa-client (>= 0.0.6)
+  cf-uaa-client (>= 0.0.8)
  ci_reporter
  em-http-request (~> 1.0.0.beta.3)
  eventmachine
--- a/health_manager/vendor/cache/cf-uaa-client-0.0.6.gem
+++ b/health_manager/vendor/cache/cf-uaa-client-0.0.6.gem
--- a/health_manager/vendor/cache/cf-uaa-client-0.0.8.gem
+++ b/health_manager/vendor/cache/cf-uaa-client-0.0.8.gem
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit d10d798d4c9e51d9507c98dc9124256c4659402b
+Subproject commit c0202f0a7b72f4355c2021b884d90622bc4b5598