[ARVADOS] created: 1.3.0-2607-g9ab021c2c

Git user git at public.arvados.org
Wed May 27 14:36:11 UTC 2020 

        at  9ab021c2c2720b563f012b99dfbf3e7034a3c245 (commit)


commit 9ab021c2c2720b563f012b99dfbf3e7034a3c245
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Wed May 27 09:44:36 2020 -0400

    16171: Rename googleLoginController to oidcLoginController.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 0fd0a9ad2..d79dc6358 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -29,7 +29,7 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
 	wantLDAP := cluster.Login.LDAP.Enable
 	switch {
 	case wantGoogle && !wantSSO && !wantPAM && !wantLDAP:
-		return &googleLoginController{Cluster: cluster, RailsProxy: railsProxy}
+		return &oidcLoginController{Cluster: cluster, RailsProxy: railsProxy, Issuer: "https://accounts.google.com", GoogleAPI: true}
 	case !wantGoogle && wantSSO && !wantPAM && !wantLDAP:
 		return &ssoLoginController{railsProxy}
 	case !wantGoogle && !wantSSO && wantPAM && !wantLDAP:
diff --git a/lib/controller/localdb/login_google.go b/lib/controller/localdb/login_oidc.go
similarity index 87%
rename from lib/controller/localdb/login_google.go
rename to lib/controller/localdb/login_oidc.go
index 144b04c46..e273953de 100644
--- a/lib/controller/localdb/login_google.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -30,25 +30,22 @@ import (
 	"google.golang.org/api/people/v1"
 )
 
-type googleLoginController struct {
+type oidcLoginController struct {
 	Cluster    *arvados.Cluster
 	RailsProxy *railsProxy
+	Issuer     string // OIDC issuer URL, e.g., "https://accounts.google.com"
+	GoogleAPI  bool   // Issuer is Google; use additional Google APIs/extensions as needed
 
-	issuer            string // override OIDC issuer URL (normally https://accounts.google.com) for testing
 	peopleAPIBasePath string // override Google People API base URL (normally set by google pkg to https://people.googleapis.com/)
 	provider          *oidc.Provider
 	mu                sync.Mutex
 }
 
-func (ctrl *googleLoginController) getProvider() (*oidc.Provider, error) {
+func (ctrl *oidcLoginController) getProvider() (*oidc.Provider, error) {
 	ctrl.mu.Lock()
 	defer ctrl.mu.Unlock()
 	if ctrl.provider == nil {
-		issuer := ctrl.issuer
-		if issuer == "" {
-			issuer = "https://accounts.google.com"
-		}
-		provider, err := oidc.NewProvider(context.Background(), issuer)
+		provider, err := oidc.NewProvider(context.Background(), ctrl.Issuer)
 		if err != nil {
 			return nil, err
 		}
@@ -57,11 +54,11 @@ func (ctrl *googleLoginController) getProvider() (*oidc.Provider, error) {
 	return ctrl.provider, nil
 }
 
-func (ctrl *googleLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
 	return noopLogout(ctrl.Cluster, opts)
 }
 
-func (ctrl *googleLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
+func (ctrl *oidcLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
 	provider, err := ctrl.getProvider()
 	if err != nil {
 		return loginError(fmt.Errorf("error setting up OpenID Connect provider: %s", err))
@@ -81,7 +78,7 @@ func (ctrl *googleLoginController) Login(ctx context.Context, opts arvados.Login
 		ClientID: conf.ClientID,
 	})
 	if opts.State == "" {
-		// Initiate Google sign-in.
+		// Initiate OIDC sign-in.
 		if opts.ReturnTo == "" {
 			return loginError(errors.New("missing return_to parameter"))
 		}
@@ -102,7 +99,7 @@ func (ctrl *googleLoginController) Login(ctx context.Context, opts arvados.Login
 				oauth2.SetAuthURLParam("prompt", "select_account")),
 		}, nil
 	} else {
-		// Callback after Google sign-in.
+		// Callback after OIDC sign-in.
 		state := ctrl.parseOAuth2State(opts.State)
 		if !state.verify([]byte(ctrl.Cluster.SystemRootToken)) {
 			return loginError(errors.New("invalid OAuth2 state"))
@@ -131,7 +128,7 @@ func (ctrl *googleLoginController) Login(ctx context.Context, opts arvados.Login
 	}
 }
 
-func (ctrl *googleLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+func (ctrl *oidcLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
 	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
 }
 
@@ -139,7 +136,7 @@ func (ctrl *googleLoginController) UserAuthenticate(ctx context.Context, opts ar
 // primary address at index 0. The provided defaultAddr is always
 // included in the returned slice, and is used as the primary if the
 // Google API does not indicate one.
-func (ctrl *googleLoginController) getAuthInfo(ctx context.Context, cluster *arvados.Cluster, conf *oauth2.Config, token *oauth2.Token, idToken *oidc.IDToken) (*rpc.UserSessionAuthInfo, error) {
+func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, cluster *arvados.Cluster, conf *oauth2.Config, token *oauth2.Token, idToken *oidc.IDToken) (*rpc.UserSessionAuthInfo, error) {
 	var ret rpc.UserSessionAuthInfo
 	defer ctxlog.FromContext(ctx).WithField("ret", &ret).Debug("getAuthInfo returned")
 
@@ -162,7 +159,7 @@ func (ctrl *googleLoginController) getAuthInfo(ctx context.Context, cluster *arv
 		ret.Email = claims.Email
 	}
 
-	if !ctrl.Cluster.Login.Google.AlternateEmailAddresses {
+	if !ctrl.Cluster.Login.Google.AlternateEmailAddresses || !ctrl.GoogleAPI {
 		if ret.Email == "" {
 			return nil, fmt.Errorf("cannot log in with unverified email address %q", claims.Email)
 		}
@@ -237,7 +234,7 @@ func loginError(sendError error) (resp arvados.LoginResponse, err error) {
 	return
 }
 
-func (ctrl *googleLoginController) newOAuth2State(key []byte, remote, returnTo string) oauth2State {
+func (ctrl *oidcLoginController) newOAuth2State(key []byte, remote, returnTo string) oauth2State {
 	s := oauth2State{
 		Time:     time.Now().Unix(),
 		Remote:   remote,
@@ -254,7 +251,7 @@ type oauth2State struct {
 	ReturnTo string // redirect target
 }
 
-func (ctrl *googleLoginController) parseOAuth2State(encoded string) (s oauth2State) {
+func (ctrl *oidcLoginController) parseOAuth2State(encoded string) (s oauth2State) {
 	// Errors are not checked. If decoding/parsing fails, the
 	// token will be rejected by verify().
 	decoded, _ := base64.RawURLEncoding.DecodeString(encoded)
diff --git a/lib/controller/localdb/login_google_test.go b/lib/controller/localdb/login_oidc_test.go
similarity index 96%
rename from lib/controller/localdb/login_google_test.go
rename to lib/controller/localdb/login_oidc_test.go
index 495fbb69b..59fb8ce05 100644
--- a/lib/controller/localdb/login_google_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -154,8 +154,10 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
 	c.Assert(err, check.IsNil)
 
 	s.localdb = NewConn(s.cluster)
-	s.localdb.loginController.(*googleLoginController).issuer = s.fakeIssuer.URL
-	s.localdb.loginController.(*googleLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
+	c.Assert(s.localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
+	c.Check(s.localdb.loginController.(*oidcLoginController).Issuer, check.Equals, "https://accounts.google.com")
+	s.localdb.loginController.(*oidcLoginController).Issuer = s.fakeIssuer.URL
+	s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 
 	s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
 	*s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
@@ -188,7 +190,7 @@ func (s *LoginSuite) TestGoogleLogin_Start(c *check.C) {
 		c.Check(target.Host, check.Equals, issuerURL.Host)
 		q := target.Query()
 		c.Check(q.Get("client_id"), check.Equals, "test%client$id")
-		state := s.localdb.loginController.(*googleLoginController).parseOAuth2State(q.Get("state"))
+		state := s.localdb.loginController.(*oidcLoginController).parseOAuth2State(q.Get("state"))
 		c.Check(state.verify([]byte(s.cluster.SystemRootToken)), check.Equals, true)
 		c.Check(state.Time, check.Not(check.Equals), 0)
 		c.Check(state.Remote, check.Equals, remote)
@@ -223,7 +225,7 @@ func (s *LoginSuite) setupPeopleAPIError(c *check.C) {
 		w.WriteHeader(http.StatusForbidden)
 		fmt.Fprintln(w, `Error 403: accessNotConfigured`)
 	}))
-	s.localdb.loginController.(*googleLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
+	s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 }
 
 func (s *LoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list