From 1bd421e9c2ceb9875d31221721ec3d6231535160 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Feb 21 2017 02:09:48 +0000
Subject: Merge #340 `allow to explicitly disable client authentication`


---

diff --git a/conf/config.py b/conf/config.py
index a4c691e..c0c9057 100644
--- a/conf/config.py
+++ b/conf/config.py
@@ -86,6 +86,9 @@ class BaseConfiguration(object):
     AMQ_PRIVATE_KEY_FILE = '/etc/module_build_service/msg-m8y-client.key'
     AMQ_TRUSTED_CERT_FILE = '/etc/module_build_service/Root-CA.crt'
 
+    # Disable Client Authorization
+    NO_AUTH = False
+
 
 class DevConfiguration(BaseConfiguration):
     DEBUG = True
diff --git a/module_build_service/auth.py b/module_build_service/auth.py
index 6d65725..3f51888 100644
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -44,8 +44,7 @@ def _load_secrets():
         return
 
     if not "OIDC_CLIENT_SECRETS" in app.config:
-        log.warn("To support authorization, OIDC_CLIENT_SECRETS has to be set.")
-        return
+        raise Unauthorized("OIDC_CLIENT_SECRETS must be set in server config.")
 
     secrets = _json_loads(open(app.config['OIDC_CLIENT_SECRETS'],
                                 'r').read())
@@ -85,6 +84,10 @@ def get_user(request):
     Returns the client's username and groups based on the OIDC token provided.
     """
 
+    if app.config['NO_AUTH']:
+        log.debug("Authorization is disabled.")
+        return
+
     _load_secrets()
 
     if not "oidc_token" in request.cookies:
diff --git a/module_build_service/config.py b/module_build_service/config.py
index 3b90661..33bd2fc 100644
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -280,6 +280,10 @@ class Config(object):
             'type': int,
             'default': 30,
             'desc': 'Global network retry interval for read/write operations, in seconds.'},
+        'no_auth': {
+            'type': bool,
+            'default': False,
+            'desc': 'Disable client authentication.'},
     }
 
     def __init__(self, conf_section_obj):
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 6869c8c..3a6258c 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -62,3 +62,13 @@ class TestAuthModule(unittest.TestCase):
         request.cookies.return_value = {"oidc_token", "1234"}
         result = module_build_service.auth.get_user(request)
         eq_(result, name)
+
+    def test_disable_authentication(self):
+        with patch.dict('module_build_service.app.config', {'NO_AUTH': True}, clear=True):
+            request = mock.MagicMock()
+            eq_(module_build_service.auth.get_user(request), None)
+
+    @raises(module_build_service.errors.Unauthorized)
+    def test_misconfiguring_oidc_client_secrets_should_be_failed(self):
+        request = mock.MagicMock()
+        module_build_service.auth.get_user(request)