[ARVADOS] updated: 1.3.0-2544-g62c33a15f
Git user
git at public.arvados.org
Fri May 8 17:47:06 UTC 2020
Summary of changes:
doc/install/setup-login.html.textile.liquid | 10 ++-
lib/config/config.default.yml | 107 +++++++++++++----------
lib/config/deprecated.go | 35 ++++++++
lib/config/deprecated_test.go | 35 ++++++++
lib/config/export.go | 23 +++--
lib/config/generated_config.go | 107 +++++++++++++----------
lib/controller/localdb/login.go | 8 +-
lib/controller/localdb/login_google.go | 6 +-
lib/controller/localdb/login_google_test.go | 10 +--
lib/controller/localdb/login_ldap_docker_test.sh | 11 +--
lib/controller/localdb/login_pam.go | 4 +-
lib/controller/localdb/login_pam_test.go | 6 +-
sdk/go/arvados/config.go | 28 +++---
13 files changed, 249 insertions(+), 141 deletions(-)
via 62c33a15f68895d6a388f68d2827e9fd5705c5df (commit)
from bbb132e983f9ec5c7d50cf0ab709ec041af1f844 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 62c33a15f68895d6a388f68d2827e9fd5705c5df
Author: Tom Clegg <tom at tomclegg.ca>
Date: Fri May 8 13:46:44 2020 -0400
15881: Move Google, SSO, and PAM configs into their own sections.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 753ba82ba..a9fa4fd4e 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -22,12 +22,13 @@ With this configuration, users will sign in with their Google accounts.
First, visit "Setting up Google auth.":google-auth.html
-Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into @Login.GoogleClientID@ and @Login.GoogleClientSecret@ of @config.yml@:
+Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into @Login.Google.ClientID@ and @Login.Google.ClientSecret@ in @config.yml@:
<pre>
Login:
- GoogleClientID: "0000000000000-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.apps.googleusercontent.com"
- GoogleClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
+ Google:
+ ClientID: "0000000000000-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.apps.googleusercontent.com"
+ ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
</pre>
h2(#ldap). LDAP
@@ -64,7 +65,8 @@ Enable PAM authentication in @config.yml@:
<pre>
Login:
- PAM: true
+ PAM:
+ Enable: true
</pre>
Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 2aa58ac31..e24845889 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -524,54 +524,55 @@ Clusters:
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (eg
- # Google) used to perform upstream authentication.
- ProviderAppID: ""
- ProviderAppSecret: ""
-
- # (Experimental) Authenticate with Google, bypassing the
- # SSO-provider gateway service. Use the Google Cloud console to
- # enable the People API (APIs and Services > Enable APIs and
- # services > Google People API > Enable), generate a Client ID
- # and secret (APIs and Services > Credentials > Create
- # credentials > OAuth client ID > Web application) and add your
- # controller's /login URL (e.g.,
- # "https://zzzzz.example.com/login") as an authorized redirect
- # URL.
- #
- # Incompatible with ForceLegacyAPI14. ProviderAppID must be
- # blank.
- GoogleClientID: ""
- GoogleClientSecret: ""
-
- # Allow users to log in to existing accounts using any verified
- # email address listed by their Google account. If true, the
- # Google People API must be enabled in order for Google login to
- # work. If false, only the primary email address will be used.
- GoogleAlternateEmailAddresses: true
-
- # (Experimental) Use PAM to authenticate logins, using the
- # specified PAM service name.
- #
- # Cannot be used in combination with OAuth2 (ProviderAppID) or
- # Google (GoogleClientID). Cannot be used on a cluster acting as
- # a LoginCluster.
- PAM: false
- PAMService: arvados
-
- # Domain name (e.g., "example.com") to use to construct the
- # user's email address if PAM authentication returns a username
- # with no "@". If empty, use the PAM username as the user's
- # email address, whether or not it contains "@".
- #
- # Note that the email address is used as the primary key for
- # user records when logging in. Therefore, if you change
- # PAMDefaultEmailDomain after the initial installation, you
- # should also update existing user records to reflect the new
- # domain. Otherwise, next time those users log in, they will be
- # given new accounts instead of accessing their existing
- # accounts.
- PAMDefaultEmailDomain: ""
+ # One of the following mechanisms (SSO, Google, PAM, LDAP, or
+ # LoginCluster) should be enabled; see
+ # https://doc.arvados.org/install/setup-login.html
+
+ Google:
+ # Authenticate with Google.
+ Enable: false
+
+ # Use the Google Cloud console to enable the People API (APIs
+ # and Services > Enable APIs and services > Google People API
+ # > Enable), generate a Client ID and secret (APIs and
+ # Services > Credentials > Create credentials > OAuth client
+ # ID > Web application) and add your controller's /login URL
+ # (e.g., "https://zzzzz.example.com/login") as an authorized
+ # redirect URL.
+ #
+ # Incompatible with ForceLegacyAPI14. ProviderAppID must be
+ # blank.
+ ClientID: ""
+ ClientSecret: ""
+
+ # Allow users to log in to existing accounts using any verified
+ # email address listed by their Google account. If true, the
+ # Google People API must be enabled in order for Google login to
+ # work. If false, only the primary email address will be used.
+ AlternateEmailAddresses: true
+
+ PAM:
+ # (Experimental) Use PAM to authenticate users.
+ Enable: false
+
+ # PAM service name. PAM will apply the policy in the
+ # corresponding config file (e.g., /etc/pam.d/arvados) or, if
+ # there is none, the default "other" config.
+ Service: arvados
+
+ # Domain name (e.g., "example.com") to use to construct the
+ # user's email address if PAM authentication returns a
+ # username with no "@". If empty, use the PAM username as the
+ # user's email address, whether or not it contains "@".
+ #
+ # Note that the email address is used as the primary key for
+ # user records when logging in. Therefore, if you change
+ # PAMDefaultEmailDomain after the initial installation, you
+ # should also update existing user records to reflect the new
+ # domain. Otherwise, next time those users log in, they will
+ # be given new accounts instead of accessing their existing
+ # accounts.
+ DefaultEmailDomain: ""
LDAP:
# Use an LDAP service to authenticate users.
@@ -631,6 +632,16 @@ Clusters:
# originally supplied by the user will be used.
UsernameAttribute: uid
+ SSO:
+ # Authenticate with a separate SSO server.
+ Enable: false
+
+ # ProviderAppID and ProviderAppSecret are generated during SSO
+ # setup; see
+ # https://doc.arvados.org/install/install-sso.html#update-config
+ ProviderAppID: ""
+ ProviderAppSecret: ""
+
# The cluster ID to delegate the user database. When set,
# logins on this cluster will be redirected to the login cluster
# (login cluster must appear in RemoteClusters with Proxy: true)
diff --git a/lib/config/deprecated.go b/lib/config/deprecated.go
index 0689efa44..3d62e7cc5 100644
--- a/lib/config/deprecated.go
+++ b/lib/config/deprecated.go
@@ -23,6 +23,13 @@ type deprRequestLimits struct {
type deprCluster struct {
RequestLimits deprRequestLimits
NodeProfiles map[string]nodeProfile
+ Login struct {
+ GoogleClientID *string
+ GoogleClientSecret *string
+ GoogleAlternateEmailAddresses *bool
+ ProviderAppID *string
+ ProviderAppSecret *string
+ }
}
type deprecatedConfig struct {
@@ -80,6 +87,34 @@ func (ldr *Loader) applyDeprecatedConfig(cfg *arvados.Config) error {
if dst, n := &cluster.API.MaxRequestAmplification, dcluster.RequestLimits.MultiClusterRequestConcurrency; n != nil && *n != *dst {
*dst = *n
}
+
+ // Google* moved to Google.*
+ if dst, n := &cluster.Login.Google.ClientID, dcluster.Login.GoogleClientID; n != nil && *n != *dst {
+ *dst = *n
+ if *n != "" {
+ // In old config, non-empty ClientID meant enable
+ cluster.Login.Google.Enable = true
+ }
+ }
+ if dst, n := &cluster.Login.Google.ClientSecret, dcluster.Login.GoogleClientSecret; n != nil && *n != *dst {
+ *dst = *n
+ }
+ if dst, n := &cluster.Login.Google.AlternateEmailAddresses, dcluster.Login.GoogleAlternateEmailAddresses; n != nil && *n != *dst {
+ *dst = *n
+ }
+
+ // Provider* moved to SSO.Provider*
+ if dst, n := &cluster.Login.SSO.ProviderAppID, dcluster.Login.ProviderAppID; n != nil && *n != *dst {
+ *dst = *n
+ if *n != "" {
+ // In old config, non-empty ID meant enable
+ cluster.Login.SSO.Enable = true
+ }
+ }
+ if dst, n := &cluster.Login.SSO.ProviderAppSecret, dcluster.Login.ProviderAppSecret; n != nil && *n != *dst {
+ *dst = *n
+ }
+
cfg.Clusters[id] = cluster
}
return nil
diff --git a/lib/config/deprecated_test.go b/lib/config/deprecated_test.go
index 58c27e984..96eea4264 100644
--- a/lib/config/deprecated_test.go
+++ b/lib/config/deprecated_test.go
@@ -89,6 +89,41 @@ Clusters:
`)
}
+func (s *LoadSuite) TestDeprecatedLoginBackend(c *check.C) {
+ checkEquivalent(c, `
+Clusters:
+ z1111:
+ Login:
+ GoogleClientID: aaaa
+ GoogleClientSecret: bbbb
+ GoogleAlternateEmailAddresses: true
+`, `
+Clusters:
+ z1111:
+ Login:
+ Google:
+ Enable: true
+ ClientID: aaaa
+ ClientSecret: bbbb
+ AlternateEmailAddresses: true
+`)
+ checkEquivalent(c, `
+Clusters:
+ z1111:
+ Login:
+ ProviderAppID: aaaa
+ ProviderAppSecret: bbbb
+`, `
+Clusters:
+ z1111:
+ Login:
+ SSO:
+ Enable: true
+ ProviderAppID: aaaa
+ ProviderAppSecret: bbbb
+`)
+}
+
func (s *LoadSuite) TestLegacyKeepWebConfig(c *check.C) {
content := []byte(`
{
diff --git a/lib/config/export.go b/lib/config/export.go
index 323043fbe..26782c8ba 100644
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -131,14 +131,11 @@ var whitelist = map[string]bool{
"InstanceTypes.*": true,
"InstanceTypes.*.*": true,
"Login": true,
- "Login.GoogleClientID": false,
- "Login.GoogleClientSecret": false,
- "Login.GoogleAlternateEmailAddresses": false,
- "Login.PAM": true,
- "Login.PAMService": false,
- "Login.PAMDefaultEmailDomain": false,
- "Login.ProviderAppID": false,
- "Login.ProviderAppSecret": false,
+ "Login.Google": true,
+ "Login.Google.AlternateEmailAddresses": false,
+ "Login.Google.ClientID": false,
+ "Login.Google.ClientSecret": false,
+ "Login.Google.Enable": true,
"Login.LDAP": true,
"Login.LDAP.AppendDomain": false,
"Login.LDAP.EmailAttribute": false,
@@ -146,14 +143,22 @@ var whitelist = map[string]bool{
"Login.LDAP.InsecureTLS": false,
"Login.LDAP.SearchAttribute": false,
"Login.LDAP.SearchBase": false,
- "Login.LDAP.SearchBindUser": false,
"Login.LDAP.SearchBindPassword": false,
+ "Login.LDAP.SearchBindUser": false,
"Login.LDAP.SearchFilters": false,
"Login.LDAP.StartTLS": false,
"Login.LDAP.StripDomain": false,
"Login.LDAP.URL": false,
"Login.LDAP.UsernameAttribute": false,
"Login.LoginCluster": true,
+ "Login.PAM": true,
+ "Login.PAM.DefaultEmailDomain": false,
+ "Login.PAM.Enable": true,
+ "Login.PAM.Service": false,
+ "Login.SSO": true,
+ "Login.SSO.Enable": true,
+ "Login.SSO.ProviderAppID": false,
+ "Login.SSO.ProviderAppSecret": false,
"Login.RemoteTokenRefresh": true,
"Mail": true,
"Mail.MailchimpAPIKey": false,
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 4677fe544..df08dd00e 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -530,54 +530,55 @@ Clusters:
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (eg
- # Google) used to perform upstream authentication.
- ProviderAppID: ""
- ProviderAppSecret: ""
-
- # (Experimental) Authenticate with Google, bypassing the
- # SSO-provider gateway service. Use the Google Cloud console to
- # enable the People API (APIs and Services > Enable APIs and
- # services > Google People API > Enable), generate a Client ID
- # and secret (APIs and Services > Credentials > Create
- # credentials > OAuth client ID > Web application) and add your
- # controller's /login URL (e.g.,
- # "https://zzzzz.example.com/login") as an authorized redirect
- # URL.
- #
- # Incompatible with ForceLegacyAPI14. ProviderAppID must be
- # blank.
- GoogleClientID: ""
- GoogleClientSecret: ""
-
- # Allow users to log in to existing accounts using any verified
- # email address listed by their Google account. If true, the
- # Google People API must be enabled in order for Google login to
- # work. If false, only the primary email address will be used.
- GoogleAlternateEmailAddresses: true
-
- # (Experimental) Use PAM to authenticate logins, using the
- # specified PAM service name.
- #
- # Cannot be used in combination with OAuth2 (ProviderAppID) or
- # Google (GoogleClientID). Cannot be used on a cluster acting as
- # a LoginCluster.
- PAM: false
- PAMService: arvados
-
- # Domain name (e.g., "example.com") to use to construct the
- # user's email address if PAM authentication returns a username
- # with no "@". If empty, use the PAM username as the user's
- # email address, whether or not it contains "@".
- #
- # Note that the email address is used as the primary key for
- # user records when logging in. Therefore, if you change
- # PAMDefaultEmailDomain after the initial installation, you
- # should also update existing user records to reflect the new
- # domain. Otherwise, next time those users log in, they will be
- # given new accounts instead of accessing their existing
- # accounts.
- PAMDefaultEmailDomain: ""
+ # One of the following mechanisms (SSO, Google, PAM, LDAP, or
+ # LoginCluster) should be enabled; see
+ # https://doc.arvados.org/install/setup-login.html
+
+ Google:
+ # Authenticate with Google.
+ Enable: false
+
+ # Use the Google Cloud console to enable the People API (APIs
+ # and Services > Enable APIs and services > Google People API
+ # > Enable), generate a Client ID and secret (APIs and
+ # Services > Credentials > Create credentials > OAuth client
+ # ID > Web application) and add your controller's /login URL
+ # (e.g., "https://zzzzz.example.com/login") as an authorized
+ # redirect URL.
+ #
+ # Incompatible with ForceLegacyAPI14. ProviderAppID must be
+ # blank.
+ ClientID: ""
+ ClientSecret: ""
+
+ # Allow users to log in to existing accounts using any verified
+ # email address listed by their Google account. If true, the
+ # Google People API must be enabled in order for Google login to
+ # work. If false, only the primary email address will be used.
+ AlternateEmailAddresses: true
+
+ PAM:
+ # (Experimental) Use PAM to authenticate users.
+ Enable: false
+
+ # PAM service name. PAM will apply the policy in the
+ # corresponding config file (e.g., /etc/pam.d/arvados) or, if
+ # there is none, the default "other" config.
+ Service: arvados
+
+ # Domain name (e.g., "example.com") to use to construct the
+ # user's email address if PAM authentication returns a
+ # username with no "@". If empty, use the PAM username as the
+ # user's email address, whether or not it contains "@".
+ #
+ # Note that the email address is used as the primary key for
+ # user records when logging in. Therefore, if you change
+ # PAMDefaultEmailDomain after the initial installation, you
+ # should also update existing user records to reflect the new
+ # domain. Otherwise, next time those users log in, they will
+ # be given new accounts instead of accessing their existing
+ # accounts.
+ DefaultEmailDomain: ""
LDAP:
# Use an LDAP service to authenticate users.
@@ -637,6 +638,16 @@ Clusters:
# originally supplied by the user will be used.
UsernameAttribute: uid
+ SSO:
+ # Authenticate with a separate SSO server.
+ Enable: false
+
+ # ProviderAppID and ProviderAppSecret are generated during SSO
+ # setup; see
+ # https://doc.arvados.org/install/install-sso.html#update-config
+ ProviderAppID: ""
+ ProviderAppSecret: ""
+
# The cluster ID to delegate the user database. When set,
# logins on this cluster will be redirected to the login cluster
# (login cluster must appear in RemoteClusters with Proxy: true)
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 8cba3b6fa..0fd0a9ad2 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -23,9 +23,9 @@ type loginController interface {
}
func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController {
- wantGoogle := cluster.Login.GoogleClientID != ""
- wantSSO := cluster.Login.ProviderAppID != ""
- wantPAM := cluster.Login.PAM
+ wantGoogle := cluster.Login.Google.Enable
+ wantSSO := cluster.Login.SSO.Enable
+ wantPAM := cluster.Login.PAM.Enable
wantLDAP := cluster.Login.LDAP.Enable
switch {
case wantGoogle && !wantSSO && !wantPAM && !wantLDAP:
@@ -38,7 +38,7 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy}
default:
return errorLoginController{
- error: errors.New("configuration problem: exactly one of Login.GoogleClientID, Login.ProviderAppID, Login.PAM, or Login.LDAP.Enable must be configured"),
+ error: errors.New("configuration problem: exactly one of Login.Google, Login.SSO, Login.PAM, and Login.LDAP must be enabled"),
}
}
}
diff --git a/lib/controller/localdb/login_google.go b/lib/controller/localdb/login_google.go
index bf1754c15..144b04c46 100644
--- a/lib/controller/localdb/login_google.go
+++ b/lib/controller/localdb/login_google.go
@@ -71,8 +71,8 @@ func (ctrl *googleLoginController) Login(ctx context.Context, opts arvados.Login
return loginError(fmt.Errorf("error making redirect URL: %s", err))
}
conf := &oauth2.Config{
- ClientID: ctrl.Cluster.Login.GoogleClientID,
- ClientSecret: ctrl.Cluster.Login.GoogleClientSecret,
+ ClientID: ctrl.Cluster.Login.Google.ClientID,
+ ClientSecret: ctrl.Cluster.Login.Google.ClientSecret,
Endpoint: provider.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
RedirectURL: redirURL.String(),
@@ -162,7 +162,7 @@ func (ctrl *googleLoginController) getAuthInfo(ctx context.Context, cluster *arv
ret.Email = claims.Email
}
- if !ctrl.Cluster.Login.GoogleAlternateEmailAddresses {
+ if !ctrl.Cluster.Login.Google.AlternateEmailAddresses {
if ret.Email == "" {
return nil, fmt.Errorf("cannot log in with unverified email address %q", claims.Email)
}
diff --git a/lib/controller/localdb/login_google_test.go b/lib/controller/localdb/login_google_test.go
index 9e16e2e90..495fbb69b 100644
--- a/lib/controller/localdb/login_google_test.go
+++ b/lib/controller/localdb/login_google_test.go
@@ -146,10 +146,10 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
s.cluster, err = cfg.GetCluster("")
- s.cluster.Login.ProviderAppID = ""
- s.cluster.Login.ProviderAppSecret = ""
- s.cluster.Login.GoogleClientID = "test%client$id"
- s.cluster.Login.GoogleClientSecret = "test#client/secret"
+ s.cluster.Login.SSO.Enable = false
+ s.cluster.Login.Google.Enable = true
+ s.cluster.Login.Google.ClientID = "test%client$id"
+ s.cluster.Login.Google.ClientSecret = "test#client/secret"
s.cluster.Users.PreferDomainForUsername = "PreferDomainForUsername.example.com"
c.Assert(err, check.IsNil)
@@ -227,7 +227,7 @@ func (s *LoginSuite) setupPeopleAPIError(c *check.C) {
}
func (s *LoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {
- s.cluster.Login.GoogleAlternateEmailAddresses = false
+ s.cluster.Login.Google.AlternateEmailAddresses = false
s.authEmail = "joe.smith at primary.example.com"
s.setupPeopleAPIError(c)
state := s.startLogin(c)
diff --git a/lib/controller/localdb/login_ldap_docker_test.sh b/lib/controller/localdb/login_ldap_docker_test.sh
index 61b1e0e88..4e0679f62 100755
--- a/lib/controller/localdb/login_ldap_docker_test.sh
+++ b/lib/controller/localdb/login_ldap_docker_test.sh
@@ -103,11 +103,12 @@ case "${config_method}" in
setup_pam_ldap="apt update && DEBIAN_FRONTEND=noninteractive apt install -y ldap-utils libpam-ldap && pam-auth-update --package /usr/share/pam-configs/ldap"
cat >>"${tmpdir}/zzzzz.yml" <<EOF
Login:
- PAM: true
- # Without this magic PAMDefaultEmailDomain, inserted users would
- # prevent subsequent database/reset from working (see
- # database_controller.rb).
- PAMDefaultEmailDomain: example.com
+ PAM:
+ Enable: true
+ # Without this specific DefaultEmailDomain, inserted users
+ # would prevent subsequent database/reset from working (see
+ # database_controller.rb).
+ DefaultEmailDomain: example.com
EOF
;;
ldap)
diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 538e3118e..2447713a2 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -35,7 +35,7 @@ func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOpt
func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
errorMessage := ""
sentPassword := false
- tx, err := pam.StartFunc(ctrl.Cluster.Login.PAMService, opts.Username, func(style pam.Style, message string) (string, error) {
+ tx, err := pam.StartFunc(ctrl.Cluster.Login.PAM.Service, opts.Username, func(style pam.Style, message string) (string, error) {
ctxlog.FromContext(ctx).Debugf("pam conversation: style=%v message=%q", style, message)
switch style {
case pam.ErrorMsg:
@@ -80,7 +80,7 @@ func (ctrl *pamLoginController) UserAuthenticate(ctx context.Context, opts arvad
return arvados.APIClientAuthorization{}, err
}
email := user
- if domain := ctrl.Cluster.Login.PAMDefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
+ if domain := ctrl.Cluster.Login.PAM.DefaultEmailDomain; domain != "" && !strings.Contains(email, "@") {
email = email + "@" + domain
}
ctxlog.FromContext(ctx).WithFields(logrus.Fields{
diff --git a/lib/controller/localdb/login_pam_test.go b/lib/controller/localdb/login_pam_test.go
index 5b0e4533e..e6b967c94 100644
--- a/lib/controller/localdb/login_pam_test.go
+++ b/lib/controller/localdb/login_pam_test.go
@@ -32,8 +32,8 @@ func (s *PamSuite) SetUpSuite(c *check.C) {
c.Assert(err, check.IsNil)
s.cluster, err = cfg.GetCluster("")
c.Assert(err, check.IsNil)
- s.cluster.Login.PAM = true
- s.cluster.Login.PAMDefaultEmailDomain = "example.com"
+ s.cluster.Login.PAM.Enable = true
+ s.cluster.Login.PAM.DefaultEmailDomain = "example.com"
s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
s.ctrl = &pamLoginController{
Cluster: s.cluster,
@@ -79,6 +79,6 @@ func (s *PamSuite) TestLoginSuccess(c *check.C) {
c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
authinfo := getCallbackAuthInfo(c, s.railsSpy)
- c.Check(authinfo.Email, check.Equals, u+"@"+s.cluster.Login.PAMDefaultEmailDomain)
+ c.Check(authinfo.Email, check.Equals, u+"@"+s.cluster.Login.PAM.DefaultEmailDomain)
c.Check(authinfo.AlternateEmails, check.DeepEquals, []string(nil))
}
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 817f5b7a6..7ab8d9e1f 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -150,16 +150,24 @@ type Cluster struct {
EmailAttribute string
UsernameAttribute string
}
- GoogleClientID string
- GoogleClientSecret string
- GoogleAlternateEmailAddresses bool
- PAM bool
- PAMService string
- PAMDefaultEmailDomain string
- ProviderAppID string
- ProviderAppSecret string
- LoginCluster string
- RemoteTokenRefresh Duration
+ Google struct {
+ Enable bool
+ ClientID string
+ ClientSecret string
+ AlternateEmailAddresses bool
+ }
+ PAM struct {
+ Enable bool
+ Service string
+ DefaultEmailDomain string
+ }
+ SSO struct {
+ Enable bool
+ ProviderAppID string
+ ProviderAppSecret string
+ }
+ LoginCluster string
+ RemoteTokenRefresh Duration
}
Mail struct {
MailchimpAPIKey string
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list