Ensure encrypted passwords are not enabled with OIDC auth

Fixes https://jira.prod.coreos.systems/browse/QS-49
This commit is contained in:
Joseph Schorr 2017-10-31 16:03:28 -04:00
parent f9dc4e79b3
commit 74f99ba94a
2 changed files with 6 additions and 0 deletions

View file

@ -8,6 +8,8 @@ from test.fixtures import *
@pytest.mark.parametrize('unvalidated_config', [ @pytest.mark.parametrize('unvalidated_config', [
({'AUTHENTICATION_TYPE': 'OIDC'}), ({'AUTHENTICATION_TYPE': 'OIDC'}),
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}), ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice',
'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}),
]) ])
def test_validate_invalid_oidc_auth_config(unvalidated_config, app): def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
validator = OIDCAuthValidator() validator = OIDCAuthValidator()

View file

@ -10,6 +10,10 @@ class OIDCAuthValidator(BaseValidator):
if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC': if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
return return
# Ensure that encrypted passwords are not required, as they do not work with OIDC auth.
if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False):
raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth')
login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID') login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
if not login_service_id: if not login_service_id:
raise ConfigValidationException('Missing OIDC provider') raise ConfigValidationException('Missing OIDC provider')