Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: when setting isOidcEnabled is false override env variable #4403

Merged
merged 6 commits into from
Nov 21, 2024
Merged

fix: when setting isOidcEnabled is false override env variable #4403

merged 6 commits into from
Nov 21, 2024

Conversation

harmbrugge
Copy link
Member

@harmbrugge harmbrugge commented Oct 28, 2024
edited
Loading

Fixes #3619

What are the main changes you did:

  • When the database setting isOidcEnabled is set to false it will used this setting and overrides env OIDC properties

how to test:

  • Spin up an instance of emx2 with OIDC env variables set
  • See OIDC is enabled
  • Log in with admin
  • Set isOidcEnabled to false
  • See that OIDC login is disabled

todo:

  • updated docs in case of new feature
  • added/updated tests
  • added/updated testplan to include a test for this fix, including ref to bug using # notation

esthervanenckevort
esthervanenckevort requested changes Oct 31, 2024
View reviewed changes
Copy link
Member

@esthervanenckevort esthervanenckevort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since OIDC is not available in previews I can't fully test this.
The logic for handling the setting & environment property if it is the setting is not present seems fine, but I see one edge case that might be confusing. If OIDC was configured in the past and then removed the OIDC setting remains in the settings database.
I think if MOLGENIS_OIDC_CLIENT_ID is not set we should remove the IS_OIDC_ENABLED setting from the settings database.

@mswertz
Copy link
Member

mswertz commented Nov 6, 2024
edited
Loading

I think if MOLGENIS_OIDC_CLIENT_ID is not set we should remove the IS_OIDC_ENABLED setting from the settings database.

I think you are saying that if the oidc settings is clearly incomplete then it should be ignored, logging an error in startup script. That I suppose is a bit of a challenge because when settings change then the oidc should reload too.

I pushed an update that provides some useful info on these missing parameters but I am not sure it is clear now.

esthervanenckevort
esthervanenckevort requested changes Nov 7, 2024
View reviewed changes
Copy link
Member

@esthervanenckevort esthervanenckevort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This latest change can leave you in a situation where it is very hard to recover from.
I would do it the other way around. isOidcEnabled only functioning as a override to temporarily disable OIDC without removing the configuration. If there is no OIDC configuration in the environment then the isOidcEnabled flag is removed from the settings database.

@mswertz
Copy link
Member

mswertz commented Nov 7, 2024

This latest change can leave you in a situation where it is very hard to recover from. I would do it the other way around. isOidcEnabled only functioning as a override to temporarily disable OIDC without removing the configuration. If there is no OIDC configuration in the environment then the isOidcEnabled flag is removed from the settings database.

But that would lead to weird dissapearing if a user made the setting. Issen't that confusing?
Harm and I though we should invest in error logging and then in another story make error visible to UI.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
48.1% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

esthervanenckevort
esthervanenckevort approved these changes Nov 20, 2024
View reviewed changes
Copy link
Member

@esthervanenckevort esthervanenckevort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on localhost and I can enable and disable OIDC.

One thing we might consider is to force log out everyone when OIDC is disabled or enabled.

@harmbrugge harmbrugge merged commit 491ea68 into master Nov 21, 2024
3 of 5 checks passed
@harmbrugge harmbrugge deleted the fix/oidc-setting branch November 21, 2024 08:18
davidruvolo51 pushed a commit that referenced this pull request Nov 26, 2024
@harmbrugge @mswertz @davidruvolo51
fix: when setting isOidcEnabled is false override env variable (#4403)
b008137 
* When OIDC setting is available use it

* provide an error state if parameters are missing

* Load db settings in security config

* Show error message when setting oidc to true when settings are incomplete

---------

Co-authored-by: Morris Swertz <m.a.swertz@rug.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esthervanenckevort esthervanenckevort esthervanenckevort approved these changes

@mswertz mswertz mswertz approved these changes

@BrendaHijmans BrendaHijmans Awaiting requested review from BrendaHijmans

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: when setting isOidcEnabled is false, I can still log in via oidc
3 participants
@harmbrugge @mswertz @esthervanenckevort