Merge pull request #2901 from coreos-inc/joseph.schorr/QS-49/oidc-encrypted-pass

Ensure encrypted passwords are not enabled with OIDC auth

util/config/validators/test/test_validate_oidcauth.py

@@ -8,6 +8,8 @@ from test.fixtures import *
 @pytest.mark.parametrize('unvalidated_config', [
   ({'AUTHENTICATION_TYPE': 'OIDC'}),
   ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
+  ({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice', 
+    'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}),
 ])
 def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
   validator = OIDCAuthValidator()

util/config/validators/validate_oidcauth.py

@@ -10,6 +10,10 @@ class OIDCAuthValidator(BaseValidator):
     if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
       return
 
+    # Ensure that encrypted passwords are not required, as they do not work with OIDC auth.
+    if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False):
+      raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth')
+
     login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
     if not login_service_id:
         raise ConfigValidationException('Missing OIDC provider')