[ARVADOS] updated: 1.3.0-2615-g3b4bb3d39
Git user
git at public.arvados.org
Thu Jun 4 18:18:52 UTC 2020
Summary of changes:
lib/config/config.default.yml | 11 +++--------
lib/config/generated_config.go | 11 +++--------
lib/controller/localdb/login.go | 22 +---------------------
lib/controller/localdb/login_oidc_test.go | 4 ++--
sdk/go/arvados/config.go | 2 +-
5 files changed, 10 insertions(+), 40 deletions(-)
via 3b4bb3d393adc3bd3ddfb4442a65087275a5c5c3 (commit)
from cd3f543b2ea20a7ac5851c118d5189df080207f2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 3b4bb3d393adc3bd3ddfb4442a65087275a5c5c3
Author: Tom Clegg <tom at tomclegg.ca>
Date: Thu Jun 4 14:17:28 2020 -0400
16171: Change issuer config to string to avoid trailing-slash pain.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index be0123574..ff73c6f46 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -560,14 +560,9 @@ Clusters:
# This must be exactly equal to the URL returned by the issuer
# itself in its config response ("isser" key). If the
# configured value is "https://example" and the provider
- # returns "https://example:443" then login will fail, even
- # though those URLs are equivalent (RFC3986).
- #
- # If the configured URL's path component is just "/" then it
- # is stripped. Therefore, an issuer advertising itself as
- # "https://example/" cannot be used -- but "https://example",
- # "https://example/foo", and "https://example/foo/" are
- # supported.
+ # returns "https://example:443" or "https://example/" then
+ # login will fail, even though those URLs are equivalent
+ # (RFC3986).
Issuer: ""
# Your client ID and client secret (supplied by the provider).
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 49d86c77f..3a317af88 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -566,14 +566,9 @@ Clusters:
# This must be exactly equal to the URL returned by the issuer
# itself in its config response ("isser" key). If the
# configured value is "https://example" and the provider
- # returns "https://example:443" then login will fail, even
- # though those URLs are equivalent (RFC3986).
- #
- # If the configured URL's path component is just "/" then it
- # is stripped. Therefore, an issuer advertising itself as
- # "https://example/" cannot be used -- but "https://example",
- # "https://example/foo", and "https://example/foo/" are
- # supported.
+ # returns "https://example:443" or "https://example/" then
+ # login will fail, even though those URLs are equivalent
+ # (RFC3986).
Issuer: ""
# Your client ID and client secret (supplied by the provider).
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 04fb82bd5..9a0ee746e 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -39,30 +39,10 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
}
case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
- issuer := cluster.Login.OpenIDConnect.Issuer
- if issuer.Path == "/" {
- // The OIDC library returns an error if the
- // config says "https://example/" and the
- // issuer identifies itself as
- // "https://example", even though those URLs
- // are equivalent
- // (https://tools.ietf.org/html/rfc3986#section-6.2.3).
- //
- // Our config loader adds "/" to URLs with
- // empty path, so we strip it off here and
- // count on the issuer to do the same when
- // identifying itself, as Google does.
- //
- // (Non-empty paths as in
- // "https://example/foo/" are preserved by the
- // config loader so the config just has to
- // match the issuer's response.)
- issuer.Path = ""
- }
return &oidcLoginController{
Cluster: cluster,
RailsProxy: railsProxy,
- Issuer: issuer.String(),
+ Issuer: cluster.Login.OpenIDConnect.Issuer,
ClientID: cluster.Login.OpenIDConnect.ClientID,
ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
}
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index b6e58c948..aa437218f 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -263,12 +263,12 @@ func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {
func (s *OIDCLoginSuite) TestConfig(c *check.C) {
s.cluster.Login.Google.Enable = false
s.cluster.Login.OpenIDConnect.Enable = true
- s.cluster.Login.OpenIDConnect.Issuer = arvados.URL{Scheme: "https", Host: "accounts.example.com", Path: "/"}
+ s.cluster.Login.OpenIDConnect.Issuer = "https://accounts.example.com/"
s.cluster.Login.OpenIDConnect.ClientID = "oidc-client-id"
s.cluster.Login.OpenIDConnect.ClientSecret = "oidc-client-secret"
localdb := NewConn(s.cluster)
ctrl := localdb.loginController.(*oidcLoginController)
- c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com")
+ c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com/")
c.Check(ctrl.ClientID, check.Equals, "oidc-client-id")
c.Check(ctrl.ClientSecret, check.Equals, "oidc-client-secret")
c.Check(ctrl.UseGooglePeopleAPI, check.Equals, false)
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 0558de808..dbd9f7109 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -158,7 +158,7 @@ type Cluster struct {
}
OpenIDConnect struct {
Enable bool
- Issuer URL
+ Issuer string
ClientID string
ClientSecret string
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list