/* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ solrAdminApp.controller('LoginController', ['$scope', '$routeParams', '$rootScope', '$location', '$window', 'AuthenticationService', 'Constants', function ($scope, $routeParams, $rootScope, $location, $window, AuthenticationService, Constants) { $scope.resetMenu("login", Constants.IS_ROOT_PAGE); $scope.subPath = $routeParams.route; $rootScope.exceptions = {}; // Session variables set in app.js 401 interceptor var wwwAuthHeader = sessionStorage.getItem("auth.wwwAuthHeader"); var authScheme = sessionStorage.getItem("auth.scheme"); if (wwwAuthHeader) { // Parse www-authenticate header var wwwHeader = wwwAuthHeader.match(/(\w+)(\s+)?(.*)/); authScheme = "unknown"; var authParams = {}; if (wwwHeader && wwwHeader.length >= 1) authScheme = wwwHeader[1]; if (wwwHeader && wwwHeader.length >= 3) authParams = www_auth_parse_params(wwwHeader[3]); if (typeof authParams === 'string' || authParams instanceof String) { $scope.authParamsError = authParams; } else { $scope.authParamsError = undefined; } var realm = authParams['realm']; sessionStorage.setItem("auth.realm", realm); if (authScheme === 'Basic' || authScheme === 'xBasic') { authScheme = 'Basic'; } sessionStorage.setItem("auth.scheme", authScheme); } var supportedSchemes = ['Basic', 'Bearer', 'Negotiate']; $scope.authSchemeSupported = supportedSchemes.includes(authScheme); if (authScheme === 'Bearer') { // Check for OpenId redirect response var errorText = ""; $scope.isCallback = false; if ($scope.subPath === 'callback') { $scope.isCallback = true; var hash = $location.hash(); var hp = AuthenticationService.decodeHashParams(hash); var expectedState = sessionStorage.getItem("auth.stateRandom") + "_" + sessionStorage.getItem("auth.location"); sessionStorage.setItem("auth.state", "error"); if (hp['access_token'] && hp['token_type'] && hp['state']) { // Validate state if (hp['state'] !== expectedState) { $scope.error = "Problem with auth callback"; console.log("Expected state param " + expectedState + " but got " + hp['state']); errorText += "Invalid values in state parameter. "; } // Validate token type if (hp['token_type'].toLowerCase() !== "bearer") { console.log("Expected token_type param 'bearer', but got " + hp['token_type']); errorText += "Invalid values in token_type parameter. "; } // Unpack ID token and validate nonce, get username if (hp['id_token']) { var idToken = hp['id_token'].split("."); if (idToken.length === 3) { var payload = AuthenticationService.decodeJwtPart(idToken[1]); if (!payload['nonce'] || payload['nonce'] !== sessionStorage.getItem("auth.nonce")) { errorText += "Invalid 'nonce' value, possible attack detected. Please log in again. "; } if (errorText === "") { sessionStorage.setItem("auth.username", payload['sub']); sessionStorage.setItem("auth.header", "Bearer " + hp['access_token']); sessionStorage.removeItem("auth.statusText"); sessionStorage.removeItem("auth.stateRandom"); sessionStorage.removeItem("auth.wwwAuthHeader"); console.log("User " + payload['sub'] + " is logged in"); var redirectTo = sessionStorage.getItem("auth.location"); console.log("Redirecting to stored location " + redirectTo); sessionStorage.setItem("auth.state", "authenticated"); sessionStorage.removeItem("http401"); $location.path(redirectTo).hash(""); } } else { console.log("Expected JWT compact id_token param but got " + idToken); errorText += "Invalid values in id_token parameter. "; } } else { console.log("Callback was missing the id_token parameter, could not validate nonce."); errorText += "Callback was missing the id_token parameter, could not validate nonce. "; } if (hp['access_token'].split(".").length !== 3) { console.log("Expected JWT compact access_token param but got " + hp['access_token']); errorText += "Invalid values in access_token parameter. "; } if (errorText !== "") { $scope.error = "Problems with OpenID callback"; $scope.errorDescription = errorText; $scope.http401 = "true"; } // End callback processing } else if (hp['error']) { // The callback had errors console.log("Error received from idp: " + hp['error']); var errorDescriptions = {}; errorDescriptions['invalid_request'] = "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."; errorDescriptions['unauthorized_client'] = "The client is not authorized to request an access token using this method."; errorDescriptions['access_denied'] = "The resource owner or authorization server denied the request."; errorDescriptions['unsupported_response_type'] = "The authorization server does not support obtaining an access token using this method."; errorDescriptions['invalid_scope'] = "The requested scope is invalid, unknown, or malformed."; errorDescriptions['server_error'] = "The authorization server encountered an unexpected condition that prevented it from fulfilling the request."; errorDescriptions['temporarily_unavailable'] = "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server."; $scope.error = "Callback from Id Provider contained error. "; if (hp['error_description']) { $scope.errorDescription = decodeURIComponent(hp['error_description']); } else { $scope.errorDescription = errorDescriptions[hp['error']]; } if (hp['error_uri']) { $scope.errorDescription += " More information at " + hp['error_uri'] + ". "; } if (hp['state'] !== expectedState) { $scope.errorDescription += "The state parameter returned from ID Provider did not match the one we sent."; } sessionStorage.setItem("auth.state", "error"); } } } if (errorText === "" && !$scope.error && authParams) { $scope.error = authParams['error']; $scope.errorDescription = authParams['error_description']; $scope.authData = AuthenticationService.getAuthDataHeader(); } $scope.authScheme = sessionStorage.getItem("auth.scheme"); $scope.authRealm = sessionStorage.getItem("auth.realm"); $scope.wwwAuthHeader = sessionStorage.getItem("auth.wwwAuthHeader"); $scope.statusText = sessionStorage.getItem("auth.statusText"); $scope.authLocation = sessionStorage.getItem("auth.location"); $scope.authLoggedinUser = sessionStorage.getItem("auth.username"); $scope.authHeader = sessionStorage.getItem("auth.header"); $scope.login = function () { AuthenticationService.SetCredentials($scope.username, $scope.password); $location.path($scope.authLocation); // Redirect to the location that caused the login prompt }; $scope.logout = function() { // reset login status AuthenticationService.ClearCredentials(); $location.path("/"); }; $scope.jwtLogin = function () { var stateRandom = Math.random().toString(36).substr(2); sessionStorage.setItem("auth.stateRandom", stateRandom); var authState = stateRandom + "_" + sessionStorage.getItem("auth.location"); var authNonce = Math.random().toString(36).substr(2) + Math.random().toString(36).substr(2) + Math.random().toString(36).substr(2); sessionStorage.setItem("auth.nonce", authNonce); var params = { "response_type" : "id_token token", "client_id" : $scope.authData['client_id'], "redirect_uri" : $window.location.href.split('#')[0], "scope" : "openid " + $scope.authData['scope'], "state" : authState, "nonce" : authNonce }; var endpointBaseUrl = $scope.authData['authorizationEndpoint']; var loc = endpointBaseUrl + "?" + paramsToString(params); console.log("Redirecting to " + loc); sessionStorage.setItem("auth.state", "expectCallback"); $window.location.href = loc; function paramsToString(params) { var arr = []; for (var p in params) { if( params.hasOwnProperty(p) ) { arr.push(p + "=" + encodeURIComponent(params[p])); } } return arr.join("&"); } }; $scope.jwtIsLoginNode = function() { var redirect = $scope.authData ? $scope.authData['redirect_uris'] : undefined; if (redirect && Array.isArray(redirect) && redirect.length > 0) { var isLoginNode = false; redirect.forEach(function(uri) { // Check that current node URL is among the configured callback URIs if ($window.location.href.startsWith(uri)) isLoginNode = true; }); return isLoginNode; } else { return true; // no redirect UIRs configured, all nodes are potential login nodes } }; $scope.jwtFindLoginNode = function() { var redirect = $scope.authData ? $scope.authData['redirect_uris'] : undefined; if (redirect && Array.isArray(redirect) && redirect.length > 0) { var loginNode = redirect[0]; redirect.forEach(function(uri) { // if current node is in list, return its callback uri if ($window.location.href.startsWith(uri)) loginNode = uri; }); return loginNode; } else { return $window.location.href.split('#')[0]; // Return base url of current URL as the url to use } }; // Redirect to login node if this is not a valid one $scope.jwtGotoLoginNode = function() { if (!$scope.jwtIsLoginNode()) { $window.location.href = $scope.jwtFindLoginNode(); } }; $scope.jwtLogout = function() { // reset login status AuthenticationService.ClearCredentials(); $location.path("/"); }; $scope.isLoggedIn = function() { return (sessionStorage.getItem("auth.username") !== null); }; }]); // This function is copied and adapted from MIT-licensed https://github.com/randymized/www-authenticate/blob/master/lib/parsers.js www_auth_parse_params= function (header) { // This parser will definitely fail if there is more than one challenge var params = {}; var tok, last_tok, _i, _len, key, value; var state= 0; //0: token, var m= header.split(/([",=])/); for (_i = 0, _len = m.length; _i < _len; _i++) { last_tok= tok; tok = m[_i]; if (!tok.length) continue; switch (state) { case 0: // token key= tok.trim(); state= 1; // expect equals continue; case 1: // expect equals if ('=' != tok) return 'Equal sign was expected after '+key; state= 2; continue; case 2: // expect value if ('"' == tok) { value= ''; state= 3; // expect quoted continue; } else { params[key]= value= tok.trim(); state= 9; // expect comma or end continue; } case 3: // handling quoted string if ('"' == tok) { state= 8; // end quoted continue; } else { value+= tok; state= 3; // continue accumulating quoted string continue; } case 8: // end quote encountered if ('"' == tok) { // double quoted value+= '"'; state= 3; // back to quoted string continue; } if (',' == tok) { params[key]= value; state= 0; continue; } else { return 'Unexpected token ('+tok+') after '+value+'"'; } continue; case 9: // expect commma if (',' != tok) return 'Comma expected after '+value; state= 0; continue; } } switch (state) { // terminal state case 0: // Empty or ignoring terminal comma case 9: // Expecting comma or end of header return params; case 8: // Last token was end quote params[key]= value; return params; default: return 'Unexpected end of www-authenticate value.'; } };