16913: Treat LoginCluster as a distinct login method.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>

diff --git a/lib/controller/federation/login_test.go b/lib/controller/federation/login_test.go
index ad91bcf8028d60960044a4c578a79320587a90ed..007f5df8b4726c7f24ebbcdf3b6ac0c46a202fbd 100644 (file)
--- a/lib/controller/federation/login_test.go
+++ b/lib/controller/federation/login_test.go
@@ -43,8 +43,6 @@ func (s *LoginSuite) TestDeferToLoginCluster(c *check.C) {
 func (s *LoginSuite) TestLogout(c *check.C) {
        s.cluster.Services.Workbench1.ExternalURL = arvados.URL{Scheme: "https", Host: "workbench1.example.com"}
        s.cluster.Services.Workbench2.ExternalURL = arvados.URL{Scheme: "https", Host: "workbench2.example.com"}
-       s.cluster.Login.Google.Enable = true
-       s.cluster.Login.Google.ClientID = "zzzzzzzzzzzzzz"
        s.addHTTPRemote(c, "zhome", &arvadostest.APIStub{})
        s.cluster.Login.LoginCluster = "zhome"
        // s.fed is already set by SetUpTest, but we need to

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 12674148426133fa97f1ef786b38cf6803b1c376..bbed47c73ff3e0a8f7653dbed0d6ed33e727af13 100644 (file)
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -34,10 +34,11 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
        wantPAM := cluster.Login.PAM.Enable
        wantLDAP := cluster.Login.LDAP.Enable
        wantTest := cluster.Login.Test.Enable
+       wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
        switch {
-       case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest):
+       case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
                return errorLoginController{
-                       error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"),
+                       error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
                }
        case wantGoogle:
                return &oidcLoginController{
@@ -69,6 +70,8 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
                return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
        case wantTest:
                return &testLoginController{Cluster: cluster, RailsProxy: railsProxy}
+       case wantLoginCluster:
+               return &federatedLoginController{Cluster: cluster}
        default:
                return errorLoginController{
                        error: errors.New("BUG: missing case in login controller setup switch"),
@@ -106,6 +109,20 @@ func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserA
        return arvados.APIClientAuthorization{}, ctrl.error
 }
 
+type federatedLoginController struct {
+       Cluster *arvados.Cluster
+}
+
+func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
+       return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest)
+}
+func (ctrl federatedLoginController) Logout(_ context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+       return noopLogout(ctrl.Cluster, opts)
+}
+func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+       return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
+}
+
 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
        target := opts.ReturnTo
        if target == "" {