From 0ce66018616c5177bc9268280119d6f08f339d4d Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Wed, 23 Jun 2021 10:07:19 -0400 Subject: [PATCH] 17829: Remove SSO from config, controller, and tests Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- lib/config/config.default.yml | 10 -------- lib/config/deprecated.go | 12 ---------- lib/config/export.go | 4 ---- lib/controller/handler_test.go | 28 ----------------------- lib/controller/localdb/login.go | 21 ++--------------- lib/controller/localdb/login_oidc_test.go | 1 - sdk/go/arvados/config.go | 5 ---- 7 files changed, 2 insertions(+), 79 deletions(-) diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index f0794a7e53..93edae9810 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -736,16 +736,6 @@ Clusters: # originally supplied by the user will be used. UsernameAttribute: uid - SSO: - # Authenticate with a separate SSO server. (Deprecated) - Enable: false - - # ProviderAppID and ProviderAppSecret are generated during SSO - # setup; see - # https://doc.arvados.org/v2.0/install/install-sso.html#update-config - ProviderAppID: "" - ProviderAppSecret: "" - Test: # Authenticate users listed here in the config file. This # feature is intended to be used in test environments, and diff --git a/lib/config/deprecated.go b/lib/config/deprecated.go index 5e68bbfcef..efc9f0837e 100644 --- a/lib/config/deprecated.go +++ b/lib/config/deprecated.go @@ -103,18 +103,6 @@ func (ldr *Loader) applyDeprecatedConfig(cfg *arvados.Config) error { *dst = *n } - // Provider* moved to SSO.Provider* - if dst, n := &cluster.Login.SSO.ProviderAppID, dcluster.Login.ProviderAppID; n != nil && *n != *dst { - *dst = *n - if *n != "" { - // In old config, non-empty ID meant enable - cluster.Login.SSO.Enable = true - } - } - if dst, n := &cluster.Login.SSO.ProviderAppSecret, dcluster.Login.ProviderAppSecret; n != nil && *n != *dst { - *dst = *n - } - cfg.Clusters[id] = cluster } return nil diff --git a/lib/config/export.go b/lib/config/export.go index 23d0b6bffe..32a528b3c7 100644 --- a/lib/config/export.go +++ b/lib/config/export.go @@ -173,10 +173,6 @@ var whitelist = map[string]bool{ "Login.PAM.Enable": true, "Login.PAM.Service": false, "Login.RemoteTokenRefresh": true, - "Login.SSO": true, - "Login.SSO.Enable": true, - "Login.SSO.ProviderAppID": false, - "Login.SSO.ProviderAppSecret": false, "Login.Test": true, "Login.Test.Enable": true, "Login.Test.Users": false, diff --git a/lib/controller/handler_test.go b/lib/controller/handler_test.go index 2911a4f031..9b71c349a4 100644 --- a/lib/controller/handler_test.go +++ b/lib/controller/handler_test.go @@ -164,34 +164,6 @@ func (s *HandlerSuite) TestProxyNotFound(c *check.C) { c.Check(jresp["errors"], check.FitsTypeOf, []interface{}{}) } -func (s *HandlerSuite) TestProxyRedirect(c *check.C) { - s.cluster.Login.SSO.Enable = true - s.cluster.Login.SSO.ProviderAppID = "test" - s.cluster.Login.SSO.ProviderAppSecret = "test" - req := httptest.NewRequest("GET", "https://0.0.0.0:1/login?return_to=foo", nil) - resp := httptest.NewRecorder() - s.handler.ServeHTTP(resp, req) - if !c.Check(resp.Code, check.Equals, http.StatusFound) { - c.Log(resp.Body.String()) - } - // Old "proxy entire request" code path returns an absolute - // URL. New lib/controller/federation code path returns a - // relative URL. - c.Check(resp.Header().Get("Location"), check.Matches, `(https://0.0.0.0:1)?/auth/joshid\?return_to=%2Cfoo&?`) -} - -func (s *HandlerSuite) TestLogoutSSO(c *check.C) { - s.cluster.Login.SSO.Enable = true - s.cluster.Login.SSO.ProviderAppID = "test" - req := httptest.NewRequest("GET", "https://0.0.0.0:1/logout?return_to=https://example.com/foo", nil) - resp := httptest.NewRecorder() - s.handler.ServeHTTP(resp, req) - if !c.Check(resp.Code, check.Equals, http.StatusFound) { - c.Log(resp.Body.String()) - } - c.Check(resp.Header().Get("Location"), check.Equals, "http://localhost:3002/users/sign_out?"+url.Values{"redirect_uri": {"https://example.com/foo"}}.Encode()) -} - func (s *HandlerSuite) TestLogoutGoogle(c *check.C) { s.cluster.Login.Google.Enable = true s.cluster.Login.Google.ClientID = "test" diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index 0d6f2ef027..3c7b01baad 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -30,15 +30,14 @@ type loginController interface { func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController { wantGoogle := cluster.Login.Google.Enable wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable - wantSSO := cluster.Login.SSO.Enable wantPAM := cluster.Login.PAM.Enable wantLDAP := cluster.Login.LDAP.Enable wantTest := cluster.Login.Test.Enable wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID switch { - case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster): + case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster): return errorLoginController{ - error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), } case wantGoogle: return &oidcLoginController{ @@ -66,8 +65,6 @@ func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginControll AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken, AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope, } - case wantSSO: - return &ssoLoginController{Parent: parent} case wantPAM: return &pamLoginController{Cluster: cluster, Parent: parent} case wantLDAP: @@ -93,20 +90,6 @@ func countTrue(vals ...bool) int { return n } -// Login and Logout are passed through to the parent's railsProxy; -// UserAuthenticate is rejected. -type ssoLoginController struct{ Parent *Conn } - -func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) { - return ctrl.Parent.railsProxy.Login(ctx, opts) -} -func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - return ctrl.Parent.railsProxy.Logout(ctx, opts) -} -func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { - return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) -} - type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go index c9d6133c48..3d16500747 100644 --- a/lib/controller/localdb/login_oidc_test.go +++ b/lib/controller/localdb/login_oidc_test.go @@ -63,7 +63,6 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) { c.Assert(err, check.IsNil) s.cluster, err = cfg.GetCluster("") c.Assert(err, check.IsNil) - s.cluster.Login.SSO.Enable = false s.cluster.Login.Google.Enable = true s.cluster.Login.Google.ClientID = "test%client$id" s.cluster.Login.Google.ClientSecret = "test#client/secret" diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go index 403d501b41..23bc258cb3 100644 --- a/sdk/go/arvados/config.go +++ b/sdk/go/arvados/config.go @@ -176,11 +176,6 @@ type Cluster struct { Service string DefaultEmailDomain string } - SSO struct { - Enable bool - ProviderAppID string - ProviderAppSecret string - } Test struct { Enable bool Users map[string]TestUser -- 2.30.2