[ARVADOS] updated: 2.1.0-962-g5ade025ff

Wed Jun 23 14:07:38 UTC 2021

Summary of changes:
 lib/config/config.default.yml             | 10 ----------
 lib/config/deprecated.go                  | 12 ------------
 lib/config/export.go                      |  4 ----
 lib/controller/handler_test.go            | 28 ----------------------------
 lib/controller/localdb/login.go           | 21 ++-------------------
 lib/controller/localdb/login_oidc_test.go |  1 -
 sdk/go/arvados/config.go                  |  5 -----
 7 files changed, 2 insertions(+), 79 deletions(-)

       via  5ade025ff305e91ec0238a0415b79f379e6d0157 (commit)
      from  4918b6707e949e2c2dffba7960ff5786e8d2b6ef (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 5ade025ff305e91ec0238a0415b79f379e6d0157
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Wed Jun 23 10:07:19 2021 -0400

    17829: Remove SSO from config, controller, and tests
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index f0794a7e5..93edae981 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -736,16 +736,6 @@ Clusters:
         # originally supplied by the user will be used.
         UsernameAttribute: uid
 
-      SSO:
-        # Authenticate with a separate SSO server. (Deprecated)
-        Enable: false
-
-        # ProviderAppID and ProviderAppSecret are generated during SSO
-        # setup; see
-        # https://doc.arvados.org/v2.0/install/install-sso.html#update-config
-        ProviderAppID: ""
-        ProviderAppSecret: ""
-
       Test:
         # Authenticate users listed here in the config file. This
         # feature is intended to be used in test environments, and
diff --git a/lib/config/deprecated.go b/lib/config/deprecated.go
index 5e68bbfce..efc9f0837 100644
--- a/lib/config/deprecated.go
+++ b/lib/config/deprecated.go
@@ -103,18 +103,6 @@ func (ldr *Loader) applyDeprecatedConfig(cfg *arvados.Config) error {
 			*dst = *n
 		}
 
-		// Provider* moved to SSO.Provider*
-		if dst, n := &cluster.Login.SSO.ProviderAppID, dcluster.Login.ProviderAppID; n != nil && *n != *dst {
-			*dst = *n
-			if *n != "" {
-				// In old config, non-empty ID meant enable
-				cluster.Login.SSO.Enable = true
-			}
-		}
-		if dst, n := &cluster.Login.SSO.ProviderAppSecret, dcluster.Login.ProviderAppSecret; n != nil && *n != *dst {
-			*dst = *n
-		}
-
 		cfg.Clusters[id] = cluster
 	}
 	return nil
diff --git a/lib/config/export.go b/lib/config/export.go
index 23d0b6bff..32a528b3c 100644
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -173,10 +173,6 @@ var whitelist = map[string]bool{
 	"Login.PAM.Enable":                                    true,
 	"Login.PAM.Service":                                   false,
 	"Login.RemoteTokenRefresh":                            true,
-	"Login.SSO":                                           true,
-	"Login.SSO.Enable":                                    true,
-	"Login.SSO.ProviderAppID":                             false,
-	"Login.SSO.ProviderAppSecret":                         false,
 	"Login.Test":                                          true,
 	"Login.Test.Enable":                                   true,
 	"Login.Test.Users":                                    false,
diff --git a/lib/controller/handler_test.go b/lib/controller/handler_test.go
index 2911a4f03..9b71c349a 100644
--- a/lib/controller/handler_test.go
+++ b/lib/controller/handler_test.go
@@ -164,34 +164,6 @@ func (s *HandlerSuite) TestProxyNotFound(c *check.C) {
 	c.Check(jresp["errors"], check.FitsTypeOf, []interface{}{})
 }
 
-func (s *HandlerSuite) TestProxyRedirect(c *check.C) {
-	s.cluster.Login.SSO.Enable = true
-	s.cluster.Login.SSO.ProviderAppID = "test"
-	s.cluster.Login.SSO.ProviderAppSecret = "test"
-	req := httptest.NewRequest("GET", "https://0.0.0.0:1/login?return_to=foo", nil)
-	resp := httptest.NewRecorder()
-	s.handler.ServeHTTP(resp, req)
-	if !c.Check(resp.Code, check.Equals, http.StatusFound) {
-		c.Log(resp.Body.String())
-	}
-	// Old "proxy entire request" code path returns an absolute
-	// URL. New lib/controller/federation code path returns a
-	// relative URL.
-	c.Check(resp.Header().Get("Location"), check.Matches, `(https://0.0.0.0:1)?/auth/joshid\?return_to=%2Cfoo&?`)
-}
-
-func (s *HandlerSuite) TestLogoutSSO(c *check.C) {
-	s.cluster.Login.SSO.Enable = true
-	s.cluster.Login.SSO.ProviderAppID = "test"
-	req := httptest.NewRequest("GET", "https://0.0.0.0:1/logout?return_to=https://example.com/foo", nil)
-	resp := httptest.NewRecorder()
-	s.handler.ServeHTTP(resp, req)
-	if !c.Check(resp.Code, check.Equals, http.StatusFound) {
-		c.Log(resp.Body.String())
-	}
-	c.Check(resp.Header().Get("Location"), check.Equals, "http://localhost:3002/users/sign_out?"+url.Values{"redirect_uri": {"https://example.com/foo"}}.Encode())
-}
-
 func (s *HandlerSuite) TestLogoutGoogle(c *check.C) {
 	s.cluster.Login.Google.Enable = true
 	s.cluster.Login.Google.ClientID = "test"
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 0d6f2ef02..3c7b01baa 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -30,15 +30,14 @@ type loginController interface {
 func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
 	wantGoogle := cluster.Login.Google.Enable
 	wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
-	wantSSO := cluster.Login.SSO.Enable
 	wantPAM := cluster.Login.PAM.Enable
 	wantLDAP := cluster.Login.LDAP.Enable
 	wantTest := cluster.Login.Test.Enable
 	wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
 	switch {
-	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
+	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster):
 		return errorLoginController{
-			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
+			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
 		}
 	case wantGoogle:
 		return &oidcLoginController{
@@ -66,8 +65,6 @@ func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginControll
 			AcceptAccessToken:      cluster.Login.OpenIDConnect.AcceptAccessToken,
 			AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope,
 		}
-	case wantSSO:
-		return &ssoLoginController{Parent: parent}
 	case wantPAM:
 		return &pamLoginController{Cluster: cluster, Parent: parent}
 	case wantLDAP:
@@ -93,20 +90,6 @@ func countTrue(vals ...bool) int {
 	return n
 }
 
-// Login and Logout are passed through to the parent's railsProxy;
-// UserAuthenticate is rejected.
-type ssoLoginController struct{ Parent *Conn }
-
-func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
-	return ctrl.Parent.railsProxy.Login(ctx, opts)
-}
-func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return ctrl.Parent.railsProxy.Logout(ctx, opts)
-}
-func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
-	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
-}
-
 type errorLoginController struct{ error }
 
 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index c9d6133c4..3d1650074 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -63,7 +63,6 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
 	c.Assert(err, check.IsNil)
 	s.cluster, err = cfg.GetCluster("")
 	c.Assert(err, check.IsNil)
-	s.cluster.Login.SSO.Enable = false
 	s.cluster.Login.Google.Enable = true
 	s.cluster.Login.Google.ClientID = "test%client$id"
 	s.cluster.Login.Google.ClientSecret = "test#client/secret"
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 403d501b4..23bc258cb 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -176,11 +176,6 @@ type Cluster struct {
 			Service            string
 			DefaultEmailDomain string
 		}
-		SSO struct {
-			Enable            bool
-			ProviderAppID     string
-			ProviderAppSecret string
-		}
 		Test struct {
 			Enable bool
 			Users  map[string]TestUser

-----------------------------------------------------------------------


hooks/post-receive
-- 


