17829: Remove SSO from config, controller, and tests

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index f0794a7e5320b115f1cac6b2d0f34c87cb3d7394..93edae981000cc2bc5d886376054ff4e4f984640 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -736,16 +736,6 @@ Clusters:
         # originally supplied by the user will be used.
         UsernameAttribute: uid
 
-      SSO:
-        # Authenticate with a separate SSO server. (Deprecated)
-        Enable: false
-
-        # ProviderAppID and ProviderAppSecret are generated during SSO
-        # setup; see
-        # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
-        ProviderAppID: ""
-        ProviderAppSecret: ""
-
       Test:
         # Authenticate users listed here in the config file. This
         # feature is intended to be used in test environments, and

diff --git a/lib/config/deprecated.go b/lib/config/deprecated.go
index 5e68bbfcefa7950163791d66a6a533bc65c19097..efc9f0837ea531872d92f551c8030e4f9241def4 100644 (file)
--- a/lib/config/deprecated.go
+++ b/lib/config/deprecated.go
@@ -103,18 +103,6 @@ func (ldr *Loader) applyDeprecatedConfig(cfg *arvados.Config) error {
                        *dst = *n
                }
 
-               // Provider* moved to SSO.Provider*
-               if dst, n := &cluster.Login.SSO.ProviderAppID, dcluster.Login.ProviderAppID; n != nil && *n != *dst {
-                       *dst = *n
-                       if *n != "" {
-                               // In old config, non-empty ID meant enable
-                               cluster.Login.SSO.Enable = true
-                       }
-               }
-               if dst, n := &cluster.Login.SSO.ProviderAppSecret, dcluster.Login.ProviderAppSecret; n != nil && *n != *dst {
-                       *dst = *n
-               }
-
                cfg.Clusters[id] = cluster
        }
        return nil

diff --git a/lib/config/export.go b/lib/config/export.go
index 23d0b6bffe5346426632e6ebccf0ee7b5db8a967..32a528b3c73835cef815f056d781941386a92695 100644 (file)
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -173,10 +173,6 @@ var whitelist = map[string]bool{
        "Login.PAM.Enable":                                    true,
        "Login.PAM.Service":                                   false,
        "Login.RemoteTokenRefresh":                            true,
-       "Login.SSO":                                           true,
-       "Login.SSO.Enable":                                    true,
-       "Login.SSO.ProviderAppID":                             false,
-       "Login.SSO.ProviderAppSecret":                         false,
        "Login.Test":                                          true,
        "Login.Test.Enable":                                   true,
        "Login.Test.Users":                                    false,

diff --git a/lib/controller/handler_test.go b/lib/controller/handler_test.go
index 2911a4f031cdac7aef14a80ecff42f349ddd0011..9b71c349a4b5624cf32cdf3eb6bba83d06d737bc 100644 (file)
--- a/lib/controller/handler_test.go
+++ b/lib/controller/handler_test.go
@@ -164,34 +164,6 @@ func (s *HandlerSuite) TestProxyNotFound(c *check.C) {
        c.Check(jresp["errors"], check.FitsTypeOf, []interface{}{})
 }
 
-func (s *HandlerSuite) TestProxyRedirect(c *check.C) {
-       s.cluster.Login.SSO.Enable = true
-       s.cluster.Login.SSO.ProviderAppID = "test"
-       s.cluster.Login.SSO.ProviderAppSecret = "test"
-       req := httptest.NewRequest("GET", "https://0.0.0.0:1/login?return_to=foo", nil)
-       resp := httptest.NewRecorder()
-       s.handler.ServeHTTP(resp, req)
-       if !c.Check(resp.Code, check.Equals, http.StatusFound) {
-               c.Log(resp.Body.String())
-       }
-       // Old "proxy entire request" code path returns an absolute
-       // URL. New lib/controller/federation code path returns a
-       // relative URL.
-       c.Check(resp.Header().Get("Location"), check.Matches, `(https://0.0.0.0:1)?/auth/joshid\?return_to=%2Cfoo&?`)
-}
-
-func (s *HandlerSuite) TestLogoutSSO(c *check.C) {
-       s.cluster.Login.SSO.Enable = true
-       s.cluster.Login.SSO.ProviderAppID = "test"
-       req := httptest.NewRequest("GET", "https://0.0.0.0:1/logout?return_to=https://example.com/foo", nil)
-       resp := httptest.NewRecorder()
-       s.handler.ServeHTTP(resp, req)
-       if !c.Check(resp.Code, check.Equals, http.StatusFound) {
-               c.Log(resp.Body.String())
-       }
-       c.Check(resp.Header().Get("Location"), check.Equals, "http://localhost:3002/users/sign_out?"+url.Values{"redirect_uri": {"https://example.com/foo"}}.Encode())
-}
-
 func (s *HandlerSuite) TestLogoutGoogle(c *check.C) {
        s.cluster.Login.Google.Enable = true
        s.cluster.Login.Google.ClientID = "test"

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 0d6f2ef027e8500c60fdf644e8f808fecd2f226a..3c7b01baad1361735ebe37b4ef6df7157d1eb750 100644 (file)
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -30,15 +30,14 @@ type loginController interface {
 func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
        wantGoogle := cluster.Login.Google.Enable
        wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
-       wantSSO := cluster.Login.SSO.Enable
        wantPAM := cluster.Login.PAM.Enable
        wantLDAP := cluster.Login.LDAP.Enable
        wantTest := cluster.Login.Test.Enable
        wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
        switch {
-       case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
+       case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster):
                return errorLoginController{
-                       error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
+                       error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
                }
        case wantGoogle:
                return &oidcLoginController{
@@ -66,8 +65,6 @@ func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginControll
                        AcceptAccessToken:      cluster.Login.OpenIDConnect.AcceptAccessToken,
                        AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope,
                }
-       case wantSSO:
-               return &ssoLoginController{Parent: parent}
        case wantPAM:
                return &pamLoginController{Cluster: cluster, Parent: parent}
        case wantLDAP:
@@ -93,20 +90,6 @@ func countTrue(vals ...bool) int {
        return n
 }
 
-// Login and Logout are passed through to the parent's railsProxy;
-// UserAuthenticate is rejected.
-type ssoLoginController struct{ Parent *Conn }
-
-func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
-       return ctrl.Parent.railsProxy.Login(ctx, opts)
-}
-func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-       return ctrl.Parent.railsProxy.Logout(ctx, opts)
-}
-func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
-       return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
-}
-
 type errorLoginController struct{ error }
 
 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {

diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index c9d6133c480319b9129397ea076068d67bb4a3f5..3d1650074712578d168b4f5a79ba8894bac79b8a 100644 (file)
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -63,7 +63,6 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
        c.Assert(err, check.IsNil)
        s.cluster, err = cfg.GetCluster("")
        c.Assert(err, check.IsNil)
-       s.cluster.Login.SSO.Enable = false
        s.cluster.Login.Google.Enable = true
        s.cluster.Login.Google.ClientID = "test%client$id"
        s.cluster.Login.Google.ClientSecret = "test#client/secret"

diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 403d501b4153af489e207fbfe4ba53e194655f78..23bc258cb33499c6ecc0ec27636ba06ad479271e 100644 (file)
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -176,11 +176,6 @@ type Cluster struct {
                        Service            string
                        DefaultEmailDomain string
                }
-               SSO struct {
-                       Enable            bool
-                       ProviderAppID     string
-                       ProviderAppSecret string
-               }
                Test struct {
                        Enable bool
                        Users  map[string]TestUser