Merge pull request #2695 from coreos-inc/oidc-internal-auth

OIDC internal auth support

util/config/validators/test/test_validate_oidcauth.py

@@ -0,0 +1,32 @@
+import pytest
+
+from util.config.validators import ConfigValidationException
+from util.config.validators.validate_oidcauth import OIDCAuthValidator
+
+from test.fixtures import *
+
+@pytest.mark.parametrize('unvalidated_config', [
+  ({'AUTHENTICATION_TYPE': 'OIDC'}),
+  ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
+])
+def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
+  validator = OIDCAuthValidator()
+
+  with pytest.raises(ConfigValidationException):
+    validator.validate(unvalidated_config, None, None)
+
+
+def test_validate_oidc_auth(app):
+  config = {
+    'AUTHENTICATION_TYPE': 'OIDC',
+    'INTERNAL_OIDC_SERVICE_ID': 'someservice',
+    'SOMESERVICE_LOGIN_CONFIG': {
+      'CLIENT_ID': 'foo',
+      'CLIENT_SECRET': 'bar',
+      'OIDC_SERVER': 'http://someserver',
+    },
+    'HTTPCLIENT': None,
+  }
+
+  validator = OIDCAuthValidator()
+  validator.validate(config, None, None)

util/config/validators/validate_oidcauth.py

@@ -0,0 +1,21 @@
+from app import app
+from data.users.oidc import OIDCInternalAuth, UnknownServiceException
+from util.config.validators import BaseValidator, ConfigValidationException
+
+class OIDCAuthValidator(BaseValidator):
+  name = "oidc-auth"
+
+  @classmethod
+  def validate(cls, config, user, user_password):
+    if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
+      return
+
+    login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
+    if not login_service_id:
+        raise ConfigValidationException('Missing OIDC provider')
+
+    # By instantiating the auth engine, it will check if the provider exists and works.
+    try:
+      OIDCInternalAuth(config, login_service_id, False)
+    except UnknownServiceException as use:
+      raise ConfigValidationException(use.message)