16212: Return error for users/authenticate endpoint in SSO mode.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 2d20531714b242a208909c6b3ffe4b40a30a646d..ae59849993346afaf6eddf37dd53cfa08c5cce5e 100644 (file)
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -7,8 +7,10 @@ package localdb
 import (
        "context"
        "errors"
+       "net/http"
 
        "git.arvados.org/arvados.git/sdk/go/arvados"
+       "git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
 type loginController interface {
@@ -25,7 +27,7 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
        case wantGoogle && !wantSSO && !wantPAM:
                return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy}
        case !wantGoogle && wantSSO && !wantPAM:
-               return railsProxy
+               return &ssoLoginController{railsProxy}
        case !wantGoogle && !wantSSO && wantPAM:
                return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy}
        default:
@@ -35,6 +37,14 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
        }
 }
 
+// Login and Logout are passed through to the wrapped railsProxy;
+// UserAuthenticate is rejected.
+type ssoLoginController struct{ *railsProxy }
+
+func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+       return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
+}
+
 type errorLoginController struct{ error }
 
 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {