From: Peter Amstutz <peter.amstutz@curii.com>
Date: Mon, 28 Sep 2020 18:28:18 +0000 (-0400)
Subject: 16913: Treat LoginCluster as a distinct login method.
X-Git-Tag: 2.1.0~32^2~1
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/7d91fe636e1ce09697fdff28b43e4020df041f17?hp=ac82dcc51a03f0ac1e3b6fc8e9e65ab86872ac26

16913: Treat LoginCluster as a distinct login method.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---

diff --git a/lib/controller/federation/login_test.go b/lib/controller/federation/login_test.go
index ad91bcf802..007f5df8b4 100644
--- a/lib/controller/federation/login_test.go
+++ b/lib/controller/federation/login_test.go
@@ -43,8 +43,6 @@ func (s *LoginSuite) TestDeferToLoginCluster(c *check.C) {
 func (s *LoginSuite) TestLogout(c *check.C) {
 	s.cluster.Services.Workbench1.ExternalURL = arvados.URL{Scheme: "https", Host: "workbench1.example.com"}
 	s.cluster.Services.Workbench2.ExternalURL = arvados.URL{Scheme: "https", Host: "workbench2.example.com"}
-	s.cluster.Login.Google.Enable = true
-	s.cluster.Login.Google.ClientID = "zzzzzzzzzzzzzz"
 	s.addHTTPRemote(c, "zhome", &arvadostest.APIStub{})
 	s.cluster.Login.LoginCluster = "zhome"
 	// s.fed is already set by SetUpTest, but we need to
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 1267414842..bbed47c73f 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -34,10 +34,11 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 	wantPAM := cluster.Login.PAM.Enable
 	wantLDAP := cluster.Login.LDAP.Enable
 	wantTest := cluster.Login.Test.Enable
+	wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
 	switch {
-	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest):
+	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
 		return errorLoginController{
-			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"),
+			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
 		}
 	case wantGoogle:
 		return &oidcLoginController{
@@ -69,6 +70,8 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 		return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
 	case wantTest:
 		return &testLoginController{Cluster: cluster, RailsProxy: railsProxy}
+	case wantLoginCluster:
+		return &federatedLoginController{Cluster: cluster}
 	default:
 		return errorLoginController{
 			error: errors.New("BUG: missing case in login controller setup switch"),
@@ -106,6 +109,20 @@ func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserA
 	return arvados.APIClientAuthorization{}, ctrl.error
 }
 
+type federatedLoginController struct {
+	Cluster *arvados.Cluster
+}
+
+func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
+	return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest)
+}
+func (ctrl federatedLoginController) Logout(_ context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+	return noopLogout(ctrl.Cluster, opts)
+}
+func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
+}
+
 func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
 	target := opts.ReturnTo
 	if target == "" {