Ensure encrypted passwords are not enabled with OIDC auth
Fixes https://jira.prod.coreos.systems/browse/QS-49
This commit is contained in:
parent
f9dc4e79b3
commit
74f99ba94a
2 changed files with 6 additions and 0 deletions
|
@ -8,6 +8,8 @@ from test.fixtures import *
|
||||||
@pytest.mark.parametrize('unvalidated_config', [
|
@pytest.mark.parametrize('unvalidated_config', [
|
||||||
({'AUTHENTICATION_TYPE': 'OIDC'}),
|
({'AUTHENTICATION_TYPE': 'OIDC'}),
|
||||||
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
|
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
|
||||||
|
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice',
|
||||||
|
'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}),
|
||||||
])
|
])
|
||||||
def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
|
def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
|
||||||
validator = OIDCAuthValidator()
|
validator = OIDCAuthValidator()
|
||||||
|
|
|
@ -10,6 +10,10 @@ class OIDCAuthValidator(BaseValidator):
|
||||||
if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
|
if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
|
||||||
return
|
return
|
||||||
|
|
||||||
|
# Ensure that encrypted passwords are not required, as they do not work with OIDC auth.
|
||||||
|
if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False):
|
||||||
|
raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth')
|
||||||
|
|
||||||
login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
|
login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
|
||||||
if not login_service_id:
|
if not login_service_id:
|
||||||
raise ConfigValidationException('Missing OIDC provider')
|
raise ConfigValidationException('Missing OIDC provider')
|
||||||
|
|
Reference in a new issue