[RR] Do not try to redirect to null resource server (#592)

Signed-off-by: Rick Elrod <[email protected]>
ansible · Aug 28, 2024 · 1bb5d17 · 1bb5d17
1 parent e02e729
commit 1bb5d17
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 4 deletions.
diff --git a/ansible_base/lib/dynamic_config/settings_logic.py b/ansible_base/lib/dynamic_config/settings_logic.py
@@ -229,6 +229,9 @@ def get_dab_settings(
         # Disable reverse syncing by default
         dab_data['DISABLE_RESOURCE_SERVER_SYNC'] = True
 
+        # Disable legacy SSO by default
+        dab_data['ENABLE_SERVICE_BACKED_SSO'] = False
+
     if 'ansible_base.oauth2_provider' in installed_apps:
         if 'oauth2_provider' not in installed_apps:
             dab_data.setdefault('INSTALLED_APPS', copy(installed_apps))

diff --git a/ansible_base/resource_registry/utils/service_backed_sso_pipeline.py b/ansible_base/resource_registry/utils/service_backed_sso_pipeline.py
@@ -10,6 +10,10 @@ def redirect_to_resource_server(*args, social=None, user=None, **kwargs):
     This MUST come at the end of the SOCIAL_AUTH_PIPELINE configuration.
     """
 
+    # Allow for disabling this pipeline without removing it from the settings.
+    if not getattr(settings, 'ENABLE_SERVICE_BACKED_SSO', False):
+        return None
+
     oidc_alt_key = None
 
     # Galaxy and AWX use different social auth backends for keycloak. AWX uses the

diff --git a/test_app/tests/resource_registry/test_service_backed_sso.py b/test_app/tests/resource_registry/test_service_backed_sso.py
@@ -84,7 +84,9 @@ def test_user_auth_code_generation_dab(authenticator_user):
 
 
 @pytest.mark.django_db
-def test_auth_code_pipeline(social_user):
+def test_auth_code_pipeline(settings, social_user):
+    settings.ENABLE_SERVICE_BACKED_SSO = True
+
     user, social = social_user
 
     response = {
@@ -104,7 +106,23 @@ def test_auth_code_pipeline(social_user):
 
 
 @pytest.mark.django_db
-def test_auth_code_pipeline_dab(authenticator_user):
+def test_auth_code_pipeline_resource_server_unset(social_user, settings):
+    settings.ENABLE_SERVICE_BACKED_SSO = False
+
+    user, social = social_user
+
+    response = {
+        "sub": "my_uid",
+        "preferred_username": "123123123123123",
+    }
+    resp = redirect_to_resource_server(user=user, social=social, response=response)
+    assert resp is None
+
+
+@pytest.mark.django_db
+def test_auth_code_pipeline_dab(authenticator_user, settings):
+    settings.ENABLE_SERVICE_BACKED_SSO = True
+
     user, social = authenticator_user
 
     response = {
@@ -124,7 +142,9 @@ def test_auth_code_pipeline_dab(authenticator_user):
 
 
 @pytest.mark.django_db
-def test_auth_code_pipeline_no_social(user):
+def test_auth_code_pipeline_no_social(user, settings):
+    settings.ENABLE_SERVICE_BACKED_SSO = True
+
     resp = redirect_to_resource_server(user=user)
 
     auth_code = resp.url.split("?auth_code=")[1]
@@ -137,5 +157,7 @@ def test_auth_code_pipeline_no_social(user):
 
 
 @pytest.mark.django_db
-def test_auth_code_pipeline_not_authed():
+def test_auth_code_pipeline_not_authed(settings):
+    settings.ENABLE_SERVICE_BACKED_SSO = True
+
     assert redirect_to_resource_server(user=None, social=None) is None