feat: gate OIDC routes behind explicit configuration (#21)

damacus · web-flow · commit d60311375602 · 2026-02-15T14:18:12.000Z
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"time"
+	"strings"
 
 	"github.com/damacus/iron-buckets/internal/handlers"
 	customMiddleware "github.com/damacus/iron-buckets/internal/middleware"
@@ -41,7 +42,8 @@ func newServer(minioEndpoint string) *echo.Echo {
 	// Services
 	authService := services.NewAuthService()
 	minioFactory := &services.RealMinioFactory{}
-	authHandler := handlers.NewAuthHandler(authService, minioFactory, minioEndpoint)
+	oidcEnabled := oidcEnabledFromEnv()
+	authHandler := handlers.NewAuthHandler(authService, minioFactory, minioEndpoint, oidcEnabled)
 	usersHandler := handlers.NewUsersHandler(minioFactory)
 	groupsHandler := handlers.NewGroupsHandler(minioFactory)
 	bucketsHandler := handlers.NewBucketsHandler(minioFactory)
@@ -69,16 +71,40 @@ func newServer(minioEndpoint string) *echo.Echo {
 	e.Renderer = renderer.New()
 
 	// Public Routes (auth middleware will skip these)
+	registerPublicRoutes(e, authHandler, oidcEnabled)
+
+	// Protected Routes
+	registerProtectedRoutes(e, drivesHandler, dashboardHandler, usersHandler, groupsHandler, bucketsHandler, settingsHandler)
+
+	return e
+}
+
+func oidcEnabledFromEnv() bool {
+	return strings.EqualFold(os.Getenv("OIDC_ENABLED"), "true")
+}
+
+func registerPublicRoutes(e *echo.Echo, authHandler *handlers.AuthHandler, oidcEnabled bool) {
 	e.GET("/health", func(c echo.Context) error {
 		return c.String(http.StatusOK, "OK")
 	})
 	e.GET("/login", authHandler.LoginPage)
 	e.POST("/login", authHandler.Login)
-	e.GET("/login/oauth", authHandler.LoginOIDC)
-	e.GET("/oauth/callback", authHandler.CallbackOIDC)
+	if oidcEnabled {
+		e.GET("/login/oauth", authHandler.LoginOIDC)
+		e.GET("/oauth/callback", authHandler.CallbackOIDC)
+	}
 	e.GET("/logout", authHandler.Logout)
+}
 
-	// Protected Routes
+func registerProtectedRoutes(
+	e *echo.Echo,
+	drivesHandler *handlers.DrivesHandler,
+	dashboardHandler *handlers.DashboardHandler,
+	usersHandler *handlers.UsersHandler,
+	groupsHandler *handlers.GroupsHandler,
+	bucketsHandler *handlers.BucketsHandler,
+	settingsHandler *handlers.SettingsHandler,
+) {
 	e.GET("/", func(c echo.Context) error {
 		return c.Render(http.StatusOK, "dashboard", map[string]interface{}{
 			"ActiveNav": "dashboard",
@@ -153,6 +179,4 @@ func newServer(minioEndpoint string) *echo.Echo {
 	e.GET("/settings", settingsHandler.ShowSettings)
 	e.POST("/settings/restart", settingsHandler.RestartService)
 	e.GET("/settings/logs", settingsHandler.GetLogs)
-
-	return e
 }
diff --git a/cmd/server/oidc_routes_test.go b/cmd/server/oidc_routes_test.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/damacus/iron-buckets/internal/handlers"
+	"github.com/damacus/iron-buckets/internal/services"
+	"github.com/labstack/echo/v4"
+)
+
+func TestOIDCRoutesDisabledByDefault(t *testing.T) {
+	e := echo.New()
+	authHandler := handlers.NewAuthHandler(services.NewAuthService(), &services.RealMinioFactory{}, "localhost:9000", false)
+	registerPublicRoutes(e, authHandler, false)
+
+	req := httptest.NewRequest(http.MethodGet, "/login/oauth", nil)
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNotFound {
+		t.Fatalf("expected 404 when OIDC is disabled, got %d", rec.Code)
+	}
+}
+
+func TestOIDCRoutesEnabledWithEnvFlag(t *testing.T) {
+	e := echo.New()
+	authHandler := handlers.NewAuthHandler(services.NewAuthService(), &services.RealMinioFactory{}, "localhost:9000", true)
+	registerPublicRoutes(e, authHandler, true)
+
+	req := httptest.NewRequest(http.MethodGet, "/login/oauth", nil)
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200 when OIDC is enabled, got %d", rec.Code)
+	}
+}
+
+func TestOIDCEnabledFromEnv(t *testing.T) {
+	t.Setenv("OIDC_ENABLED", "TRUE")
+	if !oidcEnabledFromEnv() {
+		t.Fatal("expected OIDC_ENABLED=TRUE to be treated as enabled")
+	}
+
+	t.Setenv("OIDC_ENABLED", "false")
+	if oidcEnabledFromEnv() {
+		t.Fatal("expected OIDC_ENABLED=false to be treated as disabled")
+	}
+}
diff --git a/cmd/server/user_journey_test.go b/cmd/server/user_journey_test.go
@@ -107,7 +107,7 @@ func TestUserJourney(t *testing.T) {
 	// Login uses ListBuckets to verify credentials
 	mockClient.On("ListBuckets", mock.Anything).Return([]minio.BucketInfo{}, nil)
 
-	authHandler := handlers.NewAuthHandler(authService, mockFactory, minioEndpoint)
+	authHandler := handlers.NewAuthHandler(authService, mockFactory, minioEndpoint, false)
 
 	// Setup Routes
 	e.POST("/login", authHandler.Login)
diff --git a/internal/handlers/auth_handler.go b/internal/handlers/auth_handler.go
@@ -13,13 +13,15 @@ type AuthHandler struct {
 	authService   *services.AuthService
 	minioFactory  services.MinioClientFactory
 	minioEndpoint string
+	oidcEnabled   bool
 }
 
-func NewAuthHandler(authService *services.AuthService, minioFactory services.MinioClientFactory, minioEndpoint string) *AuthHandler {
+func NewAuthHandler(authService *services.AuthService, minioFactory services.MinioClientFactory, minioEndpoint string, oidcEnabled bool) *AuthHandler {
 	return &AuthHandler{
 		authService:   authService,
 		minioFactory:  minioFactory,
 		minioEndpoint: minioEndpoint,
+		oidcEnabled:   oidcEnabled,
 	}
 }
 
@@ -103,13 +105,21 @@ func (h *AuthHandler) Logout(c echo.Context) error {
 
 // LoginOIDC initiates the OIDC flow
 func (h *AuthHandler) LoginOIDC(c echo.Context) error {
+	if !h.oidcEnabled {
+		return echo.NewHTTPError(http.StatusServiceUnavailable, "OIDC login is not enabled")
+	}
+
 	// TODO: Generate state, store in cookie, redirect to OIDC provider
 	// For now, just return a message
 	return c.HTML(http.StatusOK, "<h1>OIDC Redirect...</h1><p>(Not fully configured yet)</p>")
 }
 
 // CallbackOIDC handles the OIDC callback
 func (h *AuthHandler) CallbackOIDC(c echo.Context) error {
+	if !h.oidcEnabled {
+		return echo.NewHTTPError(http.StatusServiceUnavailable, "OIDC login is not enabled")
+	}
+
 	// TODO: Exchange code for token, assume role with MinIO, set cookie
 	return echo.NewHTTPError(http.StatusNotImplemented, "OIDC Callback not implemented")
 }
diff --git a/internal/handlers/auth_handler_test.go b/internal/handlers/auth_handler_test.go
@@ -133,7 +133,7 @@ func TestLoginSetsSecureCookieOverTLS(t *testing.T) {
 	c := e.NewContext(req, rec)
 
 	authService := services.NewAuthService()
-	handler := NewAuthHandler(authService, &authTestFactory{client: &authTestMinioClient{}}, "play.min.io:9000")
+	handler := NewAuthHandler(authService, &authTestFactory{client: &authTestMinioClient{}}, "play.min.io:9000", false)
 
 	err := handler.Login(c)
 	require.NoError(t, err)
@@ -161,7 +161,7 @@ func TestLogoutClearsCookieWithMatchingSecurityAttributes(t *testing.T) {
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)
 
-	handler := NewAuthHandler(services.NewAuthService(), &authTestFactory{client: &authTestMinioClient{}}, "play.min.io:9000")
+	handler := NewAuthHandler(services.NewAuthService(), &authTestFactory{client: &authTestMinioClient{}}, "play.min.io:9000", false)
 
 	err := handler.Logout(c)
 	require.NoError(t, err)
@@ -183,3 +183,19 @@ func TestLogoutClearsCookieWithMatchingSecurityAttributes(t *testing.T) {
 	assert.True(t, sessionCookie.Secure)
 	assert.Equal(t, "/", sessionCookie.Path)
 }
+
+func TestLoginOIDCReturnsDisabledErrorWhenFeatureFlagOff(t *testing.T) {
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/login/oauth", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	handler := NewAuthHandler(services.NewAuthService(), &authTestFactory{client: &authTestMinioClient{}}, "play.min.io:9000", false)
+
+	err := handler.LoginOIDC(c)
+	require.Error(t, err)
+
+	httpErr, ok := err.(*echo.HTTPError)
+	require.True(t, ok)
+	assert.Equal(t, http.StatusServiceUnavailable, httpErr.Code)
+}
