quay/endpoints/v2/test/test_v2auth.py

import base64

from flask import url_for

from app import instance_keys, app as original_app
from data.model.user import regenerate_robot_token, get_robot_and_metadata, get_user
from endpoints.test.shared import conduct_call
from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS

from test.fixtures import *


def get_robot_password(username):
  parent_name, robot_shortname = username.split('+', 1)
  parent = get_user(parent_name)
  _, token, _ = get_robot_and_metadata(robot_shortname, parent)
  return token


@pytest.mark.parametrize('scope, username, password, expected_code, expected_scopes', [
  # Invalid repository.
  ('repository:devtable/simple/foo/bar/baz:pull', 'devtable', 'password', 400, []),

  # Invalid scopes.
  ('some_invalid_scope', 'devtable', 'password', 400, []),

  # Invalid credentials.
  ('repository:devtable/simple:pull', 'devtable', 'invalid', 401, []),

  # Valid credentials.
  ('repository:devtable/simple:pull', 'devtable', 'password', 200,
   ['devtable/simple:pull']),

  ('repository:devtable/simple:push', 'devtable', 'password', 200,
   ['devtable/simple:push']),

  ('repository:devtable/simple:pull,push', 'devtable', 'password', 200,
   ['devtable/simple:push,pull']),

  ('repository:devtable/simple:pull,push,*', 'devtable', 'password', 200,
   ['devtable/simple:push,pull,*']),

  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
   ['buynlarge/orgrepo:push,pull,*']),

  ('', 'devtable', 'password', 200, []),

  # No credentials, non-public repo.
  ('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),

  # No credentials, public repo.
  ('repository:public/publicrepo:pull', None, None, 200, ['public/publicrepo:pull']),

  # Reader only.
  ('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,
   ['buynlarge/orgrepo:pull']),

  # Unknown repository.
  ('repository:devtable/unknownrepo:pull,push', 'devtable', 'password', 200,
   ['devtable/unknownrepo:push,pull']),

  # Unknown repository in another namespace.
  ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
   ['somenamespace/unknownrepo:']),

  # Disabled namespace.
  (['repository:devtable/simple:pull,push', 'repository:disabled/complex:pull'],
    'devtable', 'password', 405,
   []),

  # Multiple scopes.
  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
    'devtable', 'password', 200,
   ['devtable/simple:push,pull', 'devtable/complex:pull']),

  # Multiple scopes with restricted behavior.
  (['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
    'devtable', 'password', 200,
   ['devtable/simple:push,pull', 'public/publicrepo:pull']),

  (['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
    'devtable', 'password', 200,
   ['devtable/simple:push,pull,*', 'public/publicrepo:pull']),

  # Read Only State
  ('repository:devtable/readonly:pull,push,*', 'devtable', 'password', 200,
   ['devtable/readonly:pull']),

  # Mirror State as a typical User
  ('repository:devtable/mirrored:pull,push,*', 'devtable', 'password', 200,
   ['devtable/mirrored:pull']),

  # Mirror State as the robot User should have write access
  ('repository:devtable/mirrored:pull,push,*', 'devtable+dtrobot', get_robot_password, 200,
   ['devtable/mirrored:push,pull']),

  # Organization repository, org admin
  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
   ['buynlarge/orgrepo:push,pull,*']),

  # Organization repository, org creator
  ('repository:buynlarge/orgrepo:pull,push,*', 'creator', 'password', 200,
   ['buynlarge/orgrepo:']),

  # Organization repository, org reader
  ('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,
   ['buynlarge/orgrepo:pull']),

  # Organization repository, freshuser
  ('repository:buynlarge/orgrepo:pull,push,*', 'freshuser', 'password', 200,
   ['buynlarge/orgrepo:']),
])
def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
                               app, client):
  params = {
    'service': original_app.config['SERVER_HOSTNAME'],
    'scope': scope,
  }

  if callable(password):
    password = password(username)

  headers = {}
  if username and password:
    headers['Authorization'] = 'Basic %s' % (base64.b64encode('%s:%s' % (username, password)))

  resp = conduct_call(client, 'v2.generate_registry_jwt', url_for, 'GET', params, {}, expected_code,
                      headers=headers)
  if expected_code != 200:
    return

  token = resp.json['token']
  decoded = decode_bearer_token(token, instance_keys, original_app.config)
  assert decoded['iss'] == 'quay'
  assert decoded['aud'] == original_app.config['SERVER_HOSTNAME']
  assert decoded['sub'] == username if username else '(anonymous)'

  expected_access = []
  for scope in expected_scopes:
    name, actions_str = scope.split(':')
    actions = actions_str.split(',') if actions_str else []

    expected_access.append({
      'type': 'repository',
      'name': name,
      'actions': actions,
    })

  assert decoded['access'] == expected_access
  assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)
initial import for Open Source 🎉 2019-11-12 16:09:47 +00:00			`import base64`

			`from flask import url_for`

			`from app import instance_keys, app as original_app`
			`from data.model.user import regenerate_robot_token, get_robot_and_metadata, get_user`
			`from endpoints.test.shared import conduct_call`
			`from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS`

			`from test.fixtures import *`


			`def get_robot_password(username):`
			`parent_name, robot_shortname = username.split('+', 1)`
			`parent = get_user(parent_name)`
			`_, token, _ = get_robot_and_metadata(robot_shortname, parent)`
			`return token`


			`@pytest.mark.parametrize('scope, username, password, expected_code, expected_scopes', [`
			`# Invalid repository.`
			`('repository:devtable/simple/foo/bar/baz:pull', 'devtable', 'password', 400, []),`

			`# Invalid scopes.`
			`('some_invalid_scope', 'devtable', 'password', 400, []),`

			`# Invalid credentials.`
			`('repository:devtable/simple:pull', 'devtable', 'invalid', 401, []),`

			`# Valid credentials.`
			`('repository:devtable/simple:pull', 'devtable', 'password', 200,`
			`['devtable/simple:pull']),`

			`('repository:devtable/simple:push', 'devtable', 'password', 200,`
			`['devtable/simple:push']),`

			`('repository:devtable/simple:pull,push', 'devtable', 'password', 200,`
			`['devtable/simple:push,pull']),`

			`('repository:devtable/simple:pull,push,*', 'devtable', 'password', 200,`
			`['devtable/simple:push,pull,*']),`

			`('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,`
			`['buynlarge/orgrepo:push,pull,*']),`

			`('', 'devtable', 'password', 200, []),`

			`# No credentials, non-public repo.`
			`('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),`

			`# No credentials, public repo.`
			`('repository:public/publicrepo:pull', None, None, 200, ['public/publicrepo:pull']),`

			`# Reader only.`
			`('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,`
			`['buynlarge/orgrepo:pull']),`

			`# Unknown repository.`
			`('repository:devtable/unknownrepo:pull,push', 'devtable', 'password', 200,`
			`['devtable/unknownrepo:push,pull']),`

			`# Unknown repository in another namespace.`
			`('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,`
			`['somenamespace/unknownrepo:']),`

			`# Disabled namespace.`
			`(['repository:devtable/simple:pull,push', 'repository:disabled/complex:pull'],`
			`'devtable', 'password', 405,`
			`[]),`

			`# Multiple scopes.`
			`(['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],`
			`'devtable', 'password', 200,`
			`['devtable/simple:push,pull', 'devtable/complex:pull']),`

			`# Multiple scopes with restricted behavior.`
			`(['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],`
			`'devtable', 'password', 200,`
			`['devtable/simple:push,pull', 'public/publicrepo:pull']),`

			`(['repository:devtable/simple:pull,push,', 'repository:public/publicrepo:pull,push,'],`
			`'devtable', 'password', 200,`
			`['devtable/simple:push,pull,*', 'public/publicrepo:pull']),`

			`# Read Only State`
			`('repository:devtable/readonly:pull,push,*', 'devtable', 'password', 200,`
			`['devtable/readonly:pull']),`

			`# Mirror State as a typical User`
			`('repository:devtable/mirrored:pull,push,*', 'devtable', 'password', 200,`
			`['devtable/mirrored:pull']),`

			`# Mirror State as the robot User should have write access`
			`('repository:devtable/mirrored:pull,push,*', 'devtable+dtrobot', get_robot_password, 200,`
			`['devtable/mirrored:push,pull']),`

			`# Organization repository, org admin`
			`('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,`
			`['buynlarge/orgrepo:push,pull,*']),`

			`# Organization repository, org creator`
			`('repository:buynlarge/orgrepo:pull,push,*', 'creator', 'password', 200,`
			`['buynlarge/orgrepo:']),`

			`# Organization repository, org reader`
			`('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,`
			`['buynlarge/orgrepo:pull']),`

			`# Organization repository, freshuser`
			`('repository:buynlarge/orgrepo:pull,push,*', 'freshuser', 'password', 200,`
			`['buynlarge/orgrepo:']),`
			`])`
			`def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,`
			`app, client):`
			`params = {`
			`'service': original_app.config['SERVER_HOSTNAME'],`
			`'scope': scope,`
			`}`

			`if callable(password):`
			`password = password(username)`

			`headers = {}`
			`if username and password:`
			`headers['Authorization'] = 'Basic %s' % (base64.b64encode('%s:%s' % (username, password)))`

			`resp = conduct_call(client, 'v2.generate_registry_jwt', url_for, 'GET', params, {}, expected_code,`
			`headers=headers)`
			`if expected_code != 200:`
			`return`

			`token = resp.json['token']`
			`decoded = decode_bearer_token(token, instance_keys, original_app.config)`
			`assert decoded['iss'] == 'quay'`
			`assert decoded['aud'] == original_app.config['SERVER_HOSTNAME']`
			`assert decoded['sub'] == username if username else '(anonymous)'`

			`expected_access = []`
			`for scope in expected_scopes:`
			`name, actions_str = scope.split(':')`
			`actions = actions_str.split(',') if actions_str else []`

			`expected_access.append({`
			`'type': 'repository',`
			`'name': name,`
			`'actions': actions,`
			`})`

			`assert decoded['access'] == expected_access`
			`assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)`