Skip to content

Commit

Permalink
[23.1] Prevent Singular external auth users from disconnecting identity
Browse files Browse the repository at this point in the history
Added a `fixed_delegated_path` variable to the `ConfigSerializer` that
lets us reroute users to home if we have a Galaxy set up with:
```
	config.enable_oidc
	and len(config.oidc) == 1
	and len(auth_manager.authenticators) == 0
```

as in; we only have 1 external auth and no local authenticator,
hence, we don't want users to be disconnecting the external
provider.
  • Loading branch information
ahmedhamidawan committed Nov 1, 2023
1 parent 8143b11 commit bc5aca0
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 14 deletions.
2 changes: 1 addition & 1 deletion client/src/components/User/UserPreferences.vue
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
to="/user/cloud_auth" />
<ConfigProvider v-slot="{ config }">
<user-preferences-element
v-if="config.enable_oidc"
v-if="config.enable_oidc && !config.fixed_delegated_auth"
id="manage-third-party-identities"
icon="fa-id-card-o"
title="Manage Third-Party Identities"
Expand Down
2 changes: 1 addition & 1 deletion client/src/entry/analysis/router.js
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,7 @@ export function getRouter(Galaxy) {
{
path: "user/external_ids",
component: ExternalIdentities,
redirect: redirectAnon(),
redirect: redirectIf(Galaxy.config.fixed_delegated_auth, "/") || redirectAnon(),
},
{
path: "user/notifications",
Expand Down
28 changes: 16 additions & 12 deletions lib/galaxy/authnz/custos_authnz.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,19 +189,21 @@ def callback(self, state_token, authz_code, trans, login_redirect_url):
if custos_authnz_token is None:
user = trans.user
existing_user = trans.sa_session.query(User).filter_by(email=email).first()
# If there is only a single external authentication
# provider in use, trust the user provided and
# automatically associate.
# Equivalent to `fixed_delegated_auth` from `ConfigSerializer`
# TODO: Future work will expand on this and provide an
# interface for when there are multiple auth providers
# allowing explicit authenticated association.
fixed_delegated_auth = (
trans.app.config.enable_oidc
and len(trans.app.config.oidc) == 1
and len(trans.app.auth_manager.authenticators) == 0
)
if not user:
if existing_user:
# If there is only a single external authentication
# provider in use, trust the user provided and
# automatically associate.
# TODO: Future work will expand on this and provide an
# interface for when there are multiple auth providers
# allowing explicit authenticated association.
if (
trans.app.config.enable_oidc
and len(trans.app.config.oidc) == 1
and len(trans.app.auth_manager.authenticators) == 0
):
if fixed_delegated_auth:
user = existing_user
else:
message = f"There already exists a user with email {email}. To associate this external login, you must first be logged in as that existing account."
Expand Down Expand Up @@ -233,7 +235,9 @@ def callback(self, state_token, authz_code, trans, login_redirect_url):
refresh_expiration_time=refresh_expiration_time,
)
label = self.config["label"]
if existing_user and existing_user != user:
if fixed_delegated_auth:
redirect_url = login_redirect_url
elif existing_user and existing_user != user:
redirect_url = (
f"{login_redirect_url}user/external_ids"
f"?email_exists={email}"
Expand Down
6 changes: 6 additions & 0 deletions lib/galaxy/managers/configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ def _config_is_truthy(item, key, **context):
return True if item.get(key) else False

object_store = self.app.object_store
auth_manager = self.app.auth_manager
self.serializers: Dict[str, base.Serializer] = {
# TODO: this is available from user data, remove
"is_admin_user": lambda *a, **c: False,
Expand Down Expand Up @@ -208,6 +209,11 @@ def _config_is_truthy(item, key, **context):
"tool_training_recommendations_link": _use_config,
"tool_training_recommendations_api_url": _use_config,
"enable_notification_system": _use_config,
"fixed_delegated_auth": lambda item, key, **context: (
bool(item.get("enable_oidc"))
and len(list(_use_config(item, "oidc", **context))) == 1
and len(list(auth_manager.authenticators)) == 0
),
}


Expand Down

0 comments on commit bc5aca0

Please sign in to comment.