[arvados] updated: 2.7.0-5361-g795fecd239

git repository hosting git at public.arvados.org
Tue Nov 21 21:38:23 UTC 2023 

Summary of changes:
 lib/controller/localdb/login_oidc.go      | 9 ++++-----
 lib/controller/localdb/login_oidc_test.go | 8 +++++---
 2 files changed, 9 insertions(+), 8 deletions(-)

       via  795fecd239bb7905c92576be8c6e1c3144c17fc3 (commit)
       via  8ab0bcca4fc5dae249e25a97bbc3a816c160d05d (commit)
       via  67ec8a1e8e4d5a62ed1c3f68a25ce9d342a14214 (commit)
      from  bd471a9eadaf564fb4beafd7db995b7762942c1d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 795fecd239bb7905c92576be8c6e1c3144c17fc3
Author: Brett Smith <brett.smith at curii.com>
Date:   Tue Nov 21 16:33:57 2023 -0500

    21137: Tighten TestEndSessionEndpointBadScheme check
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 7384935246..f505f5bc49 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"regexp"
 	"sort"
 	"strings"
 	"sync"
@@ -149,9 +150,11 @@ func (s *OIDCLoginSuite) TestRPInitiatedLogoutWithReturnTo(c *check.C) {
 
 func (s *OIDCLoginSuite) TestEndSessionEndpointBadScheme(c *check.C) {
 	// RP-Initiated Logout 1.0 says: "This URL MUST use the https scheme..."
-	s.fakeProvider.EndSessionEndpoint = &url.URL{Scheme: "http", Host: "example.com"}
+	u := url.URL{Scheme: "http", Host: "example.com"}
+	s.fakeProvider.EndSessionEndpoint = &u
 	_, err := s.localdb.Logout(s.ctx, arvados.LogoutOptions{})
-	c.Check(err, check.NotNil)
+	c.Check(err, check.ErrorMatches,
+		`.*\bend_session_endpoint MUST use HTTPS but does not: `+regexp.QuoteMeta(u.String()))
 }
 
 func (s *OIDCLoginSuite) TestNoRPInitiatedLogoutWithoutToken(c *check.C) {

commit 8ab0bcca4fc5dae249e25a97bbc3a816c160d05d
Author: Brett Smith <brett.smith at curii.com>
Date:   Tue Nov 21 16:19:52 2023 -0500

    21137: Prefer early return per review comments
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 128a271dbc..d91cdddc01 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -129,8 +129,11 @@ func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.Logout
 		return arvados.LogoutResponse{}, fmt.Errorf("error setting up OpenID Connect provider: %s", err)
 	}
 	resp, err := logout(ctx, ctrl.Cluster, opts)
+	if err != nil {
+		return arvados.LogoutResponse{}, err
+	}
 	creds, credsOK := auth.FromContext(ctx)
-	if err == nil && ctrl.endSessionURL != nil && credsOK && len(creds.Tokens) > 0 {
+	if ctrl.endSessionURL != nil && credsOK && len(creds.Tokens) > 0 {
 		values := ctrl.endSessionURL.Query()
 		values.Set("client_id", ctrl.ClientID)
 		values.Set("post_logout_redirect_uri", resp.RedirectLocation)

commit 67ec8a1e8e4d5a62ed1c3f68a25ce9d342a14214
Author: Brett Smith <brett.smith at curii.com>
Date:   Tue Nov 21 16:14:59 2023 -0500

    21137: Remove id_token_hint from controller RP-initiated logout
    
    In the current Arvados stack, it is not possible to provide the ID token
    this parameter expects, because we do not retain it anywhere. The user's
    authorization token will either be an OIDC access token or an Arvados
    token generated when they logged in, so neither is suitable for use as
    id_token_hint.
    
    The spec says this parameter is RECOMMENDED but not REQUIRED, so
    omitting it is the simplest option that should still meet functional
    requirements.
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 66819fd12a..128a271dbc 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -134,10 +134,6 @@ func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.Logout
 		values := ctrl.endSessionURL.Query()
 		values.Set("client_id", ctrl.ClientID)
 		values.Set("post_logout_redirect_uri", resp.RedirectLocation)
-		values.Del("id_token_hint")
-		for _, token := range creds.Tokens {
-			values.Add("id_token_hint", token)
-		}
 		u := *ctrl.endSessionURL
 		u.RawQuery = values.Encode()
 		resp.RedirectLocation = u.String()
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 1367fb6158..7384935246 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -132,7 +132,6 @@ func (s *OIDCLoginSuite) checkRPInitiatedLogout(c *check.C, returnTo string) {
 	}
 	values := loc.Query()
 	c.Check(values.Get("client_id"), check.Equals, s.cluster.Login.Google.ClientID)
-	c.Check(values.Get("id_token_hint"), check.Equals, accessToken)
 	c.Check(values.Get("post_logout_redirect_uri"), check.Equals, expReturn)
 }
 

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list