X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/16b5f7275ffa2bd4347134f7269744f4cd4baa2a..bdc069a04fd98529f5c79c6b8a7164fb9119723d:/lib/controller/localdb/login.go

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 2d20531714..ae59849993 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -7,8 +7,10 @@ package localdb
 import (
 	"context"
 	"errors"
+	"net/http"
 
 	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
 type loginController interface {
@@ -25,7 +27,7 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 	case wantGoogle && !wantSSO && !wantPAM:
 		return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy}
 	case !wantGoogle && wantSSO && !wantPAM:
-		return railsProxy
+		return &ssoLoginController{railsProxy}
 	case !wantGoogle && !wantSSO && wantPAM:
 		return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
 	default:
@@ -35,6 +37,14 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 	}
 }
 
+// Login and Logout are passed through to the wrapped railsProxy;
+// UserAuthenticate is rejected.
+type ssoLoginController struct{ *railsProxy }
+
+func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
+}
+
 type errorLoginController struct{ error }
 
 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {