Merge pull request #27 from openshift-cherrypick-robot/cherry-pick-26…

…-to-release-4.3

Bug 1781083: Add bootstrap idp only when bootstrap user is enabled

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/onsi/gomega v1.7.0 // indirect
 	github.com/openshift/api v3.9.1-0.20190923092516-169848dd8137+incompatible
 	github.com/openshift/client-go v0.0.0-20190923092832-6afefc9bb372
-	github.com/openshift/library-go v0.0.0-20190923093227-76b67dd70a86
+	github.com/openshift/library-go v0.0.0-20191209093827-acc37612b9f9
 	github.com/pkg/profile v1.3.0 // indirect
 	github.com/prometheus/client_golang v0.9.2
 	github.com/prometheus/common v0.2.0 // indirect

go.sum

@@ -192,6 +192,8 @@ github.com/openshift/client-go v0.0.0-20190923092832-6afefc9bb372 h1:iOFI/ua5QKK
 github.com/openshift/client-go v0.0.0-20190923092832-6afefc9bb372/go.mod h1:6rzn+JTr7+WYS2E1TExP4gByoABxMznR6y2SnUIkmxk=
 github.com/openshift/library-go v0.0.0-20190923093227-76b67dd70a86 h1:IU+umCUKn37qcDOJEDkT1SL7za+YGCsuZMoni6FXu7I=
 github.com/openshift/library-go v0.0.0-20190923093227-76b67dd70a86/go.mod h1:NBttNjZpWwup/nthuLbPAPSYC8Qyo+BBK5bCtFoyYjo=
+github.com/openshift/library-go v0.0.0-20191209093827-acc37612b9f9 h1:bb07omT6Nz6mFE7NHpldsAlUcHZsgKYhgkDgT6pFGeI=
+github.com/openshift/library-go v0.0.0-20191209093827-acc37612b9f9/go.mod h1:NBttNjZpWwup/nthuLbPAPSYC8Qyo+BBK5bCtFoyYjo=
 github.com/openshift/osin v1.0.1-0.20180202150137-2dc1b4316769 h1:jTaxjdXcD89WEuNXU/R+ByAMhcI3ETa6Y/o4V9v0s9Q=
 github.com/openshift/osin v1.0.1-0.20180202150137-2dc1b4316769/go.mod h1:/gGuqQHvGNST0GB+Pomi3398FTdcM+9UaXafpqHvfDM=
 github.com/openshift/osincli v0.0.0-20190724130521-fababb0555f2 h1:BQijuR1b+/aK5oMNrYo8VcPzFqkrDyY/QI3uh43EKIY=

pkg/oauthserver/oauth_apiserver.go

@@ -101,22 +101,26 @@ func NewOAuthServerConfig(oauthConfig osinv1.OAuthConfig, userClientConfig *rest
 		// we dynamically enable or disable its UI based on the backing secret
 		// this must be the first IDP to make sure that it can handle basic auth challenges first
 		// this mostly avoids weird cases with the allow all IDP
-		oauthConfig.IdentityProviders = append(
-			[]osinv1.IdentityProvider{
-				{
-					Name: bootstrap.BootstrapUser, // will never conflict with other IDPs due to the :
-					// don't set it up as challenger if RequestHeaders IdP already is set that way
-					// this would set challenging headers and break RequestHeaders IdP
-					UseAsChallenger: !isRequestHeaderSetAsChallenger(oauthConfig.IdentityProviders),
-					UseAsLogin:      true,
-					MappingMethod:   string(identitymapper.MappingMethodClaim), // irrelevant, but needs to be valid
-					Provider: runtime.RawExtension{
-						Object: &config.BootstrapIdentityProvider{},
+		if bootstrapUserEnabled, err := bootstrapUserDataGetter.IsEnabled(); err != nil {
+			return nil, err
+		} else if bootstrapUserEnabled {
+			oauthConfig.IdentityProviders = append(
+				[]osinv1.IdentityProvider{
+					{
+						Name: bootstrap.BootstrapUser, // will never conflict with other IDPs due to the :
+						// don't set it up as challenger if RequestHeaders IdP already is set that way
+						// this would set challenging headers and break RequestHeaders IdP
+						UseAsChallenger: !isRequestHeaderSetAsChallenger(oauthConfig.IdentityProviders),
+						UseAsLogin:      true,
+						MappingMethod:   string(identitymapper.MappingMethodClaim), // irrelevant, but needs to be valid
+						Provider: runtime.RawExtension{
+							Object: &config.BootstrapIdentityProvider{},
+						},
 					},
 				},
-			},
-			oauthConfig.IdentityProviders...,
-		)
+				oauthConfig.IdentityProviders...,
+			)
+		}
 	}
 
 	if len(oauthConfig.IdentityProviders) == 0 {