From 46e89dee414cb1f0eac82c3a13d24c9de67a6ee4 Mon Sep 17 00:00:00 2001
From: alfonsomthd <almartin@redhat.com>
Date: Tue, 5 Feb 2019 13:24:47 +0100
Subject: [PATCH] mgr/dashboard: SSO - UserDoesNotExist page
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

* Added sso/404 page for use case when user logs in successfully
  in identity provider but the user does not exist in ceph.

* The page includes a link to perform a logout in IdP
  and return to login page.

Fixes: https://tracker.ceph.com/issues/37917

Signed-off-by: Alfonso Martínez <almartin@redhat.com>
---
 src/pybind/mgr/dashboard/controllers/saml2.py |  6 ++--
 .../frontend/src/app/app-routing.module.ts    |  3 ++
 .../frontend/src/app/core/auth/auth.module.ts |  2 ++
 .../sso-not-found.component.html              | 15 ++++++++++
 .../sso-not-found.component.scss              | 11 +++++++
 .../sso-not-found.component.spec.ts           | 30 +++++++++++++++++++
 .../sso-not-found/sso-not-found.component.ts  | 14 +++++++++
 .../frontend/src/locale/messages.xlf          | 12 ++++++++
 8 files changed, 89 insertions(+), 4 deletions(-)
 create mode 100644 src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.html
 create mode 100644 src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.scss
 create mode 100644 src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.spec.ts
 create mode 100644 src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.ts

diff --git a/src/pybind/mgr/dashboard/controllers/saml2.py b/src/pybind/mgr/dashboard/controllers/saml2.py
index b3f9147234a3f..223521ee2de5e 100644
--- a/src/pybind/mgr/dashboard/controllers/saml2.py
+++ b/src/pybind/mgr/dashboard/controllers/saml2.py
@@ -66,18 +66,16 @@ class Saml2(BaseController):
                                              SSO_DB.saml2.get_username_attribute(),
                                              auth.get_attributes()))
             username = username_attribute[0]
+            url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
             try:
                 ACCESS_CTRL_DB.get_user(username)
             except UserDoesNotExist:
-                raise cherrypy.HTTPError(400,
-                                         'SSO error - Username `{}` does not exist.'
-                                         .format(username))
+                raise cherrypy.HTTPRedirect("{}/#/sso/404".format(url_prefix))
 
             token = JwtManager.gen_token(username)
             JwtManager.set_user(JwtManager.decode_token(token))
             token = token.decode('utf-8')
             logger.debug("JWT Token: %s", token)
-            url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
             raise cherrypy.HTTPRedirect("{}/#/login?access_token={}".format(url_prefix, token))
         else:
             return {
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/app-routing.module.ts b/src/pybind/mgr/dashboard/frontend/src/app/app-routing.module.ts
index fddc917b75947..b2cb31b1d5d80 100644
--- a/src/pybind/mgr/dashboard/frontend/src/app/app-routing.module.ts
+++ b/src/pybind/mgr/dashboard/frontend/src/app/app-routing.module.ts
@@ -27,6 +27,7 @@ import { RgwUserListComponent } from './ceph/rgw/rgw-user-list/rgw-user-list.com
 import { LoginComponent } from './core/auth/login/login.component';
 import { RoleFormComponent } from './core/auth/role-form/role-form.component';
 import { RoleListComponent } from './core/auth/role-list/role-list.component';
+import { SsoNotFoundComponent } from './core/auth/sso/sso-not-found/sso-not-found.component';
 import { UserFormComponent } from './core/auth/user-form/user-form.component';
 import { UserListComponent } from './core/auth/user-list/user-list.component';
 import { ForbiddenComponent } from './core/forbidden/forbidden.component';
@@ -256,6 +257,8 @@ const routes: Routes = [
       }
     ]
   },
+  // Single Sign-On (SSO)
+  { path: 'sso/404', component: SsoNotFoundComponent },
   // System
   { path: 'login', component: LoginComponent },
   { path: 'logout', children: [] },
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts
index 7c0dd9c2bdde3..93aa4c887ac32 100644
--- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts
+++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts
@@ -12,6 +12,7 @@ import { LoginComponent } from './login/login.component';
 import { RoleDetailsComponent } from './role-details/role-details.component';
 import { RoleFormComponent } from './role-form/role-form.component';
 import { RoleListComponent } from './role-list/role-list.component';
+import { SsoNotFoundComponent } from './sso/sso-not-found/sso-not-found.component';
 import { UserFormComponent } from './user-form/user-form.component';
 import { UserListComponent } from './user-list/user-list.component';
 import { UserTabsComponent } from './user-tabs/user-tabs.component';
@@ -32,6 +33,7 @@ import { UserTabsComponent } from './user-tabs/user-tabs.component';
     RoleDetailsComponent,
     RoleFormComponent,
     RoleListComponent,
+    SsoNotFoundComponent,
     UserTabsComponent,
     UserListComponent,
     UserFormComponent
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.html b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.html
new file mode 100644
index 0000000000000..b9284bfdcd6ac
--- /dev/null
+++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.html
@@ -0,0 +1,15 @@
+<div class="row">
+  <div class="col-md-12 text-center">
+    <h1 i18n>Sorry, the user does not exist in Ceph.</h1>
+    <h4 i18n>Return to <a class="sso-logout" [href]="logoutUrl">Login Page</a>. You'll be logged out from the Identity Provider when you retry logging in.</h4>
+
+    <img class="img-responsive center-block img-rounded"
+         src="/assets/1280px-Nautilus_Octopus.jpg">
+    <span>
+      "<a href="https://www.flickr.com/photos/146401137@N06/40335060661">Nautilus Octopus</a>" by Jin Kemoole is licensed under
+      <a rel="nofollow"
+         class="external text"
+         href="https://creativecommons.org/licenses/by/2.0/">CC BY 2.0</a>
+    </span>
+  </div>
+</div>
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.scss b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.scss
new file mode 100644
index 0000000000000..fdf2e7100f615
--- /dev/null
+++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.scss
@@ -0,0 +1,11 @@
+h1 {
+  font-size: -webkit-xxx-large;
+}
+
+* {
+  font-family: monospace;
+}
+
+img {
+  width: 50vw;
+}
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.spec.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.spec.ts
new file mode 100644
index 0000000000000..528c7b1bae8de
--- /dev/null
+++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.spec.ts
@@ -0,0 +1,30 @@
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { configureTestBed } from '../../../../../testing/unit-test-helper';
+import { SsoNotFoundComponent } from './sso-not-found.component';
+
+describe('SsoNotFoundComponent', () => {
+  let component: SsoNotFoundComponent;
+  let fixture: ComponentFixture<SsoNotFoundComponent>;
+
+  configureTestBed({
+    declarations: [SsoNotFoundComponent]
+  });
+
+  beforeEach(() => {
+    fixture = TestBed.createComponent(SsoNotFoundComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+
+  it('should render the correct logout url', () => {
+    const expectedUrl = `http://localhost/auth/saml2/slo`;
+    const logoutAnchor = fixture.debugElement.nativeElement.querySelector('.sso-logout');
+
+    expect(logoutAnchor.href).toEqual(expectedUrl);
+  });
+});
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.ts
new file mode 100644
index 0000000000000..24bfcd94b25b8
--- /dev/null
+++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/sso/sso-not-found/sso-not-found.component.ts
@@ -0,0 +1,14 @@
+import { Component } from '@angular/core';
+
+@Component({
+  selector: 'cd-sso-not-found',
+  templateUrl: './sso-not-found.component.html',
+  styleUrls: ['./sso-not-found.component.scss']
+})
+export class SsoNotFoundComponent {
+  logoutUrl: string;
+
+  constructor() {
+    this.logoutUrl = `${window.location.origin}/auth/saml2/slo`;
+  }
+}
diff --git a/src/pybind/mgr/dashboard/frontend/src/locale/messages.xlf b/src/pybind/mgr/dashboard/frontend/src/locale/messages.xlf
index 416e730353ff4..58192f3c707f0 100644
--- a/src/pybind/mgr/dashboard/frontend/src/locale/messages.xlf
+++ b/src/pybind/mgr/dashboard/frontend/src/locale/messages.xlf
@@ -2230,6 +2230,18 @@
           <context context-type="sourcefile">app/core/auth/user-form/user-form.component.html</context>
           <context context-type="linenumber">147</context>
         </context-group>
+      </trans-unit><trans-unit id="58fc1b5c79a75370eb52644fd83fb2e7096b6649" datatype="html">
+        <source>Sorry, the user does not exist in Ceph.</source>
+        <context-group purpose="location">
+          <context context-type="sourcefile">app/core/auth/sso/sso-not-found/sso-not-found.component.html</context>
+          <context context-type="linenumber">3</context>
+        </context-group>
+      </trans-unit><trans-unit id="d9deb94f78e7c41b35c6622b874f06657d7604c1" datatype="html">
+        <source>Return to <x id="START_LINK" ctype="x-a" equiv-text="&lt;a&gt;"/>Login Page<x id="CLOSE_LINK" ctype="x-a" equiv-text="&lt;/a&gt;"/>. You&apos;ll be logged out from the Identity Provider when you retry logging in.</source>
+        <context-group purpose="location">
+          <context context-type="sourcefile">app/core/auth/sso/sso-not-found/sso-not-found.component.html</context>
+          <context context-type="linenumber">4</context>
+        </context-group>
       </trans-unit><trans-unit id="e83cda1d2f391695610a1c572332e5f81499dd83" datatype="html">
         <source><x id="ICU" equiv-text="{mode, select, editing {...} other {...}}"/> User</source>
         <context-group purpose="location">
-- 
2.39.5