From 74f99ba94a8aa5b3c933440eb1478802935a857b Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 31 Oct 2017 16:03:28 -0400 Subject: [PATCH] Ensure encrypted passwords are not enabled with OIDC auth Fixes https://jira.prod.coreos.systems/browse/QS-49 --- util/config/validators/test/test_validate_oidcauth.py | 2 ++ util/config/validators/validate_oidcauth.py | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/util/config/validators/test/test_validate_oidcauth.py b/util/config/validators/test/test_validate_oidcauth.py index 7c5609ccb..9dedbe571 100644 --- a/util/config/validators/test/test_validate_oidcauth.py +++ b/util/config/validators/test/test_validate_oidcauth.py @@ -8,6 +8,8 @@ from test.fixtures import * @pytest.mark.parametrize('unvalidated_config', [ ({'AUTHENTICATION_TYPE': 'OIDC'}), ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}), + ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice', + 'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}), ]) def test_validate_invalid_oidc_auth_config(unvalidated_config, app): validator = OIDCAuthValidator() diff --git a/util/config/validators/validate_oidcauth.py b/util/config/validators/validate_oidcauth.py index 5d74fa23d..502ca8b9c 100644 --- a/util/config/validators/validate_oidcauth.py +++ b/util/config/validators/validate_oidcauth.py @@ -10,6 +10,10 @@ class OIDCAuthValidator(BaseValidator): if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC': return + # Ensure that encrypted passwords are not required, as they do not work with OIDC auth. + if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False): + raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth') + login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID') if not login_service_id: raise ConfigValidationException('Missing OIDC provider')