From 7010ed0b94f9c572f2f7220a2a1eb17b61325fe7 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Wed, 1 Apr 2020 11:50:03 -0400 Subject: [PATCH] 16212: Return error for users/authenticate endpoint in SSO mode. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- lib/controller/localdb/login.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index 2d20531714..ae59849993 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -7,8 +7,10 @@ package localdb import ( "context" "errors" + "net/http" "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) type loginController interface { @@ -25,7 +27,7 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log case wantGoogle && !wantSSO && !wantPAM: return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy} case !wantGoogle && wantSSO && !wantPAM: - return railsProxy + return &ssoLoginController{railsProxy} case !wantGoogle && !wantSSO && wantPAM: return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy} default: @@ -35,6 +37,14 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log } } +// Login and Logout are passed through to the wrapped railsProxy; +// UserAuthenticate is rejected. +type ssoLoginController struct{ *railsProxy } + +func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) +} + type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { -- 2.30.2