def authenticate
login = nil
password = nil
@request_id = gen_req_uuid
if request.headers['User-Agent'] == "OpenShift"
if params['broker_auth_key'] && params['broker_auth_iv']
login = params['broker_auth_key']
password = params['broker_auth_iv']
else
if request.headers['broker_auth_key'] && request.headers['broker_auth_iv']
login = request.headers['broker_auth_key']
password = request.headers['broker_auth_iv']
end
end
end
if login.nil? or password.nil?
authenticate_with_http_basic { |u, p|
login = u
password = p
}
end
begin
auth = OpenShift::AuthService.instance.authenticate(request, login, password)
@login = auth[:username]
@auth_method = auth[:auth_method]
if not request.headers["X-Impersonate-User"].nil?
@parent_user = CloudUser.find @login
subuser_name = request.headers["X-Impersonate-User"]
if @parent_user.nil?
Rails.logger.debug "#{@login} tried to impersonate user but #{@login} user does not exist"
raise OpenShift::AccessDeniedException.new "Insufficient privileges to access user #{subuser_name}"
end
if @parent_user.capabilities.nil? || !@parent_user.capabilities["subaccounts"] == true
Rails.logger.debug "#{@parent_user.login} tried to impersonate user but does not have require capability."
raise OpenShift::AccessDeniedException.new "Insufficient privileges to access user #{subuser_name}"
end
sub_user = CloudUser.find subuser_name
if sub_user && sub_user.parent_user_login != @parent_user.login
Rails.logger.debug "#{@parent_user.login} tried to impersinate user #{subuser_name} but does not own the subaccount."
raise OpenShift::AccessDeniedException.new "Insufficient privileges to access user #{subuser_name}"
end
if sub_user.nil?
Rails.logger.debug "Adding user #{subuser_name} as sub user of #{@parent_user.login} ...inside base_controller"
@cloud_user = CloudUser.new(subuser_name,nil,nil,nil,{},@parent_user.login)
@cloud_user.parent_user_login = @parent_user.login
init_user
else
@cloud_user = sub_user
end
else
@cloud_user = CloudUser.find @login
if @cloud_user.nil?
Rails.logger.debug "Adding user #{@login}...inside base_controller"
@cloud_user = CloudUser.new(@login)
init_user
end
end
@cloud_user.auth_method = @auth_method unless @cloud_user.nil?
rescue OpenShift::AccessDeniedException
log_action(@request_id, 'nil', login, "AUTHENTICATE", true, "Access denied")
request_http_basic_authentication
end
end