Merge pull request #2662 from coreos-inc/direct-login

Enable toggling of the direct login feature in the superuser panel

util/config/configutil.py

@@ -19,6 +19,7 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
   config_obj['FEATURE_REQUIRE_TEAM_INVITE'] = config_obj.get('FEATURE_REQUIRE_TEAM_INVITE', True)
   config_obj['FEATURE_CHANGE_TAG_EXPIRATION'] = config_obj.get('FEATURE_CHANGE_TAG_EXPIRATION',
                                                                True)
+  config_obj['FEATURE_DIRECT_LOGIN'] = config_obj.get('FEATURE_DIRECT_LOGIN', True)
 
   # Default features that are off.
   config_obj['FEATURE_MAILING'] = config_obj.get('FEATURE_MAILING', False)

util/config/validator.py

@@ -20,6 +20,7 @@ from util.config.validators.validate_gitlab_trigger import GitLabTriggerValidato
 from util.config.validators.validate_github import GitHubLoginValidator, GitHubTriggerValidator
 from util.config.validators.validate_oidc import OIDCLoginValidator
 from util.config.validators.validate_timemachine import TimeMachineValidator
+from util.config.validators.validate_access import AccessSettingsValidator
 
 logger = logging.getLogger(__name__)
 
@@ -55,6 +56,7 @@ VALIDATORS = {
   BittorrentValidator.name: BittorrentValidator.validate,
   OIDCLoginValidator.name: OIDCLoginValidator.validate,
   TimeMachineValidator.name: TimeMachineValidator.validate,
+  AccessSettingsValidator.name: AccessSettingsValidator.validate,
 }
 
 def validate_service_for_config(service, config, password=None):

util/config/validators/test/test_validate_access.py

@@ -0,0 +1,22 @@
+import pytest
+
+from util.config.validators import ConfigValidationException
+from util.config.validators.validate_access import AccessSettingsValidator
+
+from test.fixtures import *
+
+@pytest.mark.parametrize('unvalidated_config, expected_exception', [
+  ({}, None),
+  ({'FEATURE_DIRECT_LOGIN': False}, ConfigValidationException),
+  ({'FEATURE_DIRECT_LOGIN': False, 'SOMETHING_LOGIN_CONFIG': {}}, None),
+  ({'FEATURE_DIRECT_LOGIN': False, 'FEATURE_GITHUB_LOGIN': True}, None),
+  ({'FEATURE_DIRECT_LOGIN': False, 'FEATURE_GOOGLE_LOGIN': True}, None),
+])
+def test_validate_invalid_oidc_login_config(unvalidated_config, expected_exception, app):
+  validator = AccessSettingsValidator()
+
+  if expected_exception is not None:
+    with pytest.raises(expected_exception):
+      validator.validate(unvalidated_config, None, None)
+  else:
+    validator.validate(unvalidated_config, None, None)

util/config/validators/validate_access.py

@@ -0,0 +1,22 @@
+from app import app
+from util.config.validators import BaseValidator, ConfigValidationException
+from oauth.loginmanager import OAuthLoginManager
+from oauth.oidc import OIDCLoginService
+
+class AccessSettingsValidator(BaseValidator):
+  name = "access"
+
+  @classmethod
+  def validate(cls, config, user, user_password):
+    if not config.get('FEATURE_DIRECT_LOGIN', True):
+      # Make sure we have at least one OIDC enabled.
+      github_login = config.get('FEATURE_GITHUB_LOGIN', False)
+      google_login = config.get('FEATURE_GOOGLE_LOGIN', False)
+
+      client = app.config['HTTPCLIENT']
+      login_manager = OAuthLoginManager(config, client=client)
+      custom_oidc = [s for s in login_manager.services if isinstance(s, OIDCLoginService)]
+
+      if not github_login and not google_login and not custom_oidc:
+        msg = 'Cannot disable credentials login to UI without configured OIDC service'
+        raise ConfigValidationException(msg)