Merge pull request #6402 from abhgupta/abhgupta-dev

Merged by openshift-bot
openshift · Jul 22, 2016 · a4adf17 · a4adf17
2 parents 9960c8c + 07007e3
commit a4adf17
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 0 deletions.
diff --git a/broker/conf/broker.conf b/broker/conf/broker.conf
@@ -139,6 +139,12 @@ CART_DOWNLOAD_CONN_TIMEOUT="2"
 # Set to "true" to make application default to use https in advertised URL
 APP_ADVERTISE_HTTPS="false"
 
+# Set to true to block new user creation within OpenShift broker
+# If set to true, only allows existing users to access OpenShift
+# New users, even if authenticated, will not be provisioned in OpenShift broker
+# and will get an AccessDeniedException
+AUTH_USER_LOOKUP_ONLY="false"
+
 # Team collaboration settings
 MAX_MEMBERS_PER_RESOURCE="100"
 MAX_TEAMS_PER_RESOURCE="5"

diff --git a/broker/config/environments/development.rb b/broker/config/environments/development.rb
@@ -121,6 +121,7 @@
     :use_predictable_gear_uuids => conf.get_bool("USE_PREDICTABLE_GEAR_UUIDS", false),
     :limit_app_name_chars => conf.get("LIMIT_APP_NAME_CHARS", -1).to_i,
     :app_advertise_https => conf.get_bool("APP_ADVERTISE_HTTPS", false),
+    :auth_user_lookup_only => conf.get_bool("AUTH_USER_LOOKUP_ONLY", false),
   }
 
   config.auth = {

diff --git a/broker/config/environments/production.rb b/broker/config/environments/production.rb
@@ -110,6 +110,7 @@
     :use_predictable_gear_uuids => conf.get_bool("USE_PREDICTABLE_GEAR_UUIDS", false),
     :limit_app_name_chars => conf.get("LIMIT_APP_NAME_CHARS", -1).to_i,
     :app_advertise_https => conf.get_bool("APP_ADVERTISE_HTTPS", false),
+    :auth_user_lookup_only => conf.get_bool("AUTH_USER_LOOKUP_ONLY", false),
   }
 
   config.auth = {

diff --git a/broker/config/environments/test.rb b/broker/config/environments/test.rb
@@ -119,6 +119,7 @@
     :use_predictable_gear_uuids => conf.get_bool("USE_PREDICTABLE_GEAR_UUIDS", false),
     :limit_app_name_chars => conf.get("LIMIT_APP_NAME_CHARS", -1).to_i,
     :app_advertise_https => conf.get_bool("APP_ADVERTISE_HTTPS", false),
+    :auth_user_lookup_only => conf.get_bool("AUTH_USER_LOOKUP_ONLY", false),
   }
 
   config.auth = {

diff --git a/controller/app/models/cloud_user.rb b/controller/app/models/cloud_user.rb
@@ -163,6 +163,10 @@ def self.find_or_create_by_identity(provider, login, create_attributes={}, &bloc
     yield user, login if block_given?
     [user, false]
   rescue Mongoid::Errors::DocumentNotFound
+    # if new user creation is blocked, then return an exception
+    if Rails.application.config.openshift[:auth_user_lookup_only]
+      raise OpenShift::UserException.new("New user signups are not allowed on this cluster")
+    end
     user = new(create_attributes)
     #user.current_identity = user.identities.build(provider: provider, uid: login)
     #user.login = user.current_identity.id