Ensure encrypted passwords are not enabled with OIDC auth

Fixes https://jira.prod.coreos.systems/browse/QS-49
2017-10-31 16:03:28 -04:00 · 2017-10-31 16:03:28 -04:00 · 74f99ba94a
commit 74f99ba94a
parent f9dc4e79b3
2 changed files with 6 additions and 0 deletions
--- a/util/config/validators/test/test_validate_oidcauth.py
+++ b/util/config/validators/test/test_validate_oidcauth.py
@ -8,6 +8,8 @@ from test.fixtures import *
@pytest.mark.parametrize('unvalidated_config', [
  ({'AUTHENTICATION_TYPE': 'OIDC'}),
  ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
+  ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice', 
+    'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}),
 ])
 def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
  validator = OIDCAuthValidator()
--- a/util/config/validators/validate_oidcauth.py
+++ b/util/config/validators/validate_oidcauth.py
@ -10,6 +10,10 @@ class OIDCAuthValidator(BaseValidator):
    if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
      return

+    # Ensure that encrypted passwords are not required, as they do not work with OIDC auth.
+    if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False):
+      raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth')
+
    login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
    if not login_service_id:
        raise ConfigValidationException('Missing OIDC provider')