vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/util/config/validator.py

542 lines
20 KiB
Python
Raw Normal View History

Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
import logging
Switch to install custom LDAP cert by name
2016-06-09 18:47:08 +00:00
import subprocess
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
import time
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
from StringIO import StringIO
Linter fixes
2016-12-09 22:36:57 +00:00
from hashlib import sha1
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
import ldap
import peewee
import redis
Refactor the users class into their own files, add a common base class for federated users and add a `verify_credentials` method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 15:39:59 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
from flask import Flask
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
from flask_mail import Mail, Message
from app import app, config_provider, get_app_url, OVERRIDE_CONFIG_DIRECTORY
from auth.auth_context import get_authenticated_user
from bitbucket import BitBucket
from boot import setup_jwt_proxy
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
from data.database import validate_database_url
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
from data.users import LDAP_CERT_FILENAME
from data.users.externaljwt import ExternalJWTAuthN
from data.users.externalldap import LDAPConnection, LDAPUsers
Add support to Keystone Auth for external user linking Also adds Keystone V3 support
2016-10-27 19:35:52 +00:00
from data.users.keystone import get_keystone_users
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
from storage import get_storage_driver
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 22:28:25 +00:00
from oauth.services.github import GithubOAuthService
from oauth.services.google import GoogleOAuthService
from oauth.services.gitlab import GitLabOAuthService
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
from util.secscan.api import SecurityScannerAPI
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
from util.registry.torrent import torrent_jwt
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
from util.security.signing import SIGNING_ENGINES
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
from util.security.ssl import load_certificate, CertInvalidException, KeyInvalidException
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
logger = logging.getLogger(__name__)
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
class ConfigValidationException(Exception):
""" Exception raised when the configuration fails to validate for a known reason. """
pass
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions.
2016-09-29 00:17:14 +00:00
The database SSL name needs to be in its own list FIxes #243
2015-07-15 21:49:07 +00:00
# Note: Only add files required for HTTPS to the SSL_FILESNAMES list.
SSL_FILENAMES = ['ssl.cert', 'ssl.key']
DB_SSL_FILENAMES = ['database.pem']
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
JWT_FILENAMES = ['jwt-authn.cert']
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']
Add additional options for LDAP Fixes #1420
2016-05-03 19:02:39 +00:00
LDAP_FILENAMES = [LDAP_CERT_FILENAME]
CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES +
LDAP_FILENAMES)
Custom SSL certificates config panel Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle [Delivers #135586525]
2017-01-11 23:45:46 +00:00
EXTRA_CA_DIRECTORY = 'extra_ca_certs'
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
def get_storage_providers(config):
storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG', {})
drivers = {}
Have the config setup tool automatically prepare the S3 or GCS storage with CORS config
2015-01-16 21:10:40 +00:00
try:
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
for name, parameters in storage_config.items():
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
drivers[name] = (parameters[0], get_storage_driver(None, None, None, parameters))
Linter fixes
2016-12-09 22:36:57 +00:00
except TypeError:
Small fixes
2016-01-29 18:01:17 +00:00
logger.exception('Missing required storage configuration provider')
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing required parameter(s) for storage %s' % name)
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
return drivers
Have the config setup tool automatically prepare the S3 or GCS storage with CORS config
2015-01-16 21:10:40 +00:00
Remove `user_exists` endpoint from all auth systems
2015-06-22 22:17:37 +00:00
def validate_service_for_config(service, config, password=None):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Attempts to validate the configuration for the given service. """
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
if not service in VALIDATORS:
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
return {
'status': False
}
try:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
VALIDATORS[service](config, get_authenticated_user(), password)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
return {
'status': True
}
except Exception as ex:
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
logger.exception('Validation exception')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
return {
'status': False,
'reason': str(ex)
}
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_database(config, user_obj, _):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates connecting to the database. """
- Make validation a bit nicer: - Add timeout to the DB validation - Make DB validation exception handling a bit nicer - Move the DB validation error message - Fix bug around RADOS config default for Is Secure - Allow hiding of the validation box
2015-01-08 20:27:49 +00:00
try:
Allow SSL cert for the database to be configured This change adds a field for the SSL cert for the database in the setup tool. Fixes #89
2015-06-29 05:08:10 +00:00
validate_database_url(config['DB_URI'], config.get('DB_CONNECTION_ARGS', {}))
- Make validation a bit nicer: - Add timeout to the DB validation - Make DB validation exception handling a bit nicer - Move the DB validation error message - Fix bug around RADOS config default for Is Secure - Allow hiding of the validation box
2015-01-08 20:27:49 +00:00
except peewee.OperationalError as ex:
if ex.args and len(ex.args) > 1:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException(ex.args[1])
- Make validation a bit nicer: - Add timeout to the DB validation - Make DB validation exception handling a bit nicer - Move the DB validation error message - Fix bug around RADOS config default for Is Secure - Allow hiding of the validation box
2015-01-08 20:27:49 +00:00
else:
raise ex
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_redis(config, user_obj, _):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates connecting to redis. """
- Make validation a bit nicer: - Add timeout to the DB validation - Make DB validation exception handling a bit nicer - Move the DB validation error message - Fix bug around RADOS config default for Is Secure - Allow hiding of the validation box
2015-01-08 20:27:49 +00:00
redis_config = config.get('BUILDLOGS_REDIS', {})
if not 'host' in redis_config:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing redis hostname')
- Make validation a bit nicer: - Add timeout to the DB validation - Make DB validation exception handling a bit nicer - Move the DB validation error message - Fix bug around RADOS config default for Is Secure - Allow hiding of the validation box
2015-01-08 20:27:49 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
client = redis.StrictRedis(socket_connect_timeout=5, **redis_config)
client.ping()
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_registry_storage(config, user_obj, _):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates registry storage. """
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
replication_enabled = config.get('FEATURE_STORAGE_REPLICATION', False)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
providers = get_storage_providers(config).items()
if not providers:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Storage configuration required')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
for name, (storage_type, driver) in providers:
try:
if replication_enabled and storage_type == 'LocalStorage':
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Locally mounted directory not supported ' +
'with storage replication')
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
Change validate method to work for all storages
2016-08-01 21:07:33 +00:00
# Run validation on the driver.
superuser: add storage replication config
2015-10-26 23:06:05 +00:00
driver.validate(app.config['HTTPCLIENT'])
# Run setup on the driver if the read/write succeeded.
driver.setup()
except Exception as ex:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid storage configuration: %s: %s' % (name, str(ex)))
Have the config setup tool automatically prepare the S3 or GCS storage with CORS config
2015-01-16 21:10:40 +00:00
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_mailing(config, user_obj, _):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates sending email. """
test_app = Flask("mail-test-app")
test_app.config.update(config)
test_app.config.update({
'MAIL_FAIL_SILENTLY': False,
'TESTING': False
})
test_mail = Mail(test_app)
Make sure to specify a default mail sender when validating emails. Unfortunately for us, flask-mail by default uses the sender from the *global* app instance, rather than the one specified in the Mail(...) call. This was breaking validation.
2015-03-03 18:56:32 +00:00
test_msg = Message("Test e-mail from %s" % app.config['REGISTRY_TITLE'],
sender=config.get('MAIL_DEFAULT_SENDER'))
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
test_msg.add_recipient(user_obj.email)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
test_mail.send(test_msg)
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_gitlab(config, user_obj, _):
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
""" Validates the OAuth credentials and API endpoint for a GitLab service. """
github_config = config.get('GITLAB_TRIGGER_CONFIG')
if not github_config:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing GitLab client id and client secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
endpoint = github_config.get('GITLAB_ENDPOINT')
if not endpoint:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing GitLab Endpoint')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('GitLab Endpoint must start with http:// or https://')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
if not github_config.get('CLIENT_ID'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client ID')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
if not github_config.get('CLIENT_SECRET'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client Secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
client = app.config['HTTPCLIENT']
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 22:28:25 +00:00
oauth = GitLabOAuthService(config, 'GITLAB_TRIGGER_CONFIG')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
result = oauth.validate_client_id_and_secret(client, app.config)
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid client id or client secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
def _validate_github(config_key):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
return lambda config, user_obj, _: _validate_github_with_key(config_key, config)
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
def _validate_github_with_key(config_key, config):
""" Validates the OAuth credentials and API endpoint for a Github service. """
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
github_config = config.get(config_key)
if not github_config:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing GitHub client id and client secret')
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
endpoint = github_config.get('GITHUB_ENDPOINT')
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
if not endpoint:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing GitHub Endpoint')
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Github Endpoint must start with http:// or https://')
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
if not github_config.get('CLIENT_ID'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client ID')
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
if not github_config.get('CLIENT_SECRET'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client Secret')
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
Add support for filtering github login by org
2015-03-04 00:58:42 +00:00
if github_config.get('ORG_RESTRICT') and not github_config.get('ALLOWED_ORGANIZATIONS'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Organization restriction must have at least one allowed ' +
'organization')
Add support for filtering github login by org
2015-03-04 00:58:42 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
client = app.config['HTTPCLIENT']
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 22:28:25 +00:00
oauth = GithubOAuthService(config, config_key)
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
result = oauth.validate_client_id_and_secret(client, app.config)
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid client id or client secret')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add support for filtering github login by org
2015-03-04 00:58:42 +00:00
if github_config.get('ALLOWED_ORGANIZATIONS'):
for org_id in github_config.get('ALLOWED_ORGANIZATIONS'):
if not oauth.validate_organization(org_id, client):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid organization: %s' % org_id)
Add support for filtering github login by org
2015-03-04 00:58:42 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_bitbucket(config, user_obj, _):
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
""" Validates the config for BitBucket. """
trigger_config = config.get('BITBUCKET_TRIGGER_CONFIG')
if not trigger_config:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing client ID and client secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
if not trigger_config.get('CONSUMER_KEY'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Consumer Key')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
if not trigger_config.get('CONSUMER_SECRET'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Consumer Secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
key = trigger_config['CONSUMER_KEY']
secret = trigger_config['CONSUMER_SECRET']
callback_url = '%s/oauth1/bitbucket/callback/trigger/' % (get_app_url())
bitbucket_client = BitBucket(key, secret, callback_url)
(result, _, _) = bitbucket_client.get_authorization_url()
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid consumer key or secret')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_google_login(config, user_obj, _):
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
""" Validates the Google Login client ID and secret. """
google_login_config = config.get('GOOGLE_LOGIN_CONFIG')
if not google_login_config:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing client ID and client secret')
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
if not google_login_config.get('CLIENT_ID'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client ID')
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
if not google_login_config.get('CLIENT_SECRET'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Client Secret')
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
client = app.config['HTTPCLIENT']
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 22:28:25 +00:00
oauth = GoogleOAuthService(config, 'GOOGLE_LOGIN_CONFIG')
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
result = oauth.validate_client_id_and_secret(client, app.config)
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Invalid client id or client secret')
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_ssl(config, user_obj, _):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates the SSL configuration (if enabled). """
Add option to properly handle external TLS Fixes #1984
2016-10-13 18:49:29 +00:00
# Skip if non-SSL.
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
if config.get('PREFERRED_URL_SCHEME', 'http') != 'https':
return
Add option to properly handle external TLS Fixes #1984
2016-10-13 18:49:29 +00:00
# Skip if externally terminated.
Linter fixes
2016-12-09 22:36:57 +00:00
if config.get('EXTERNAL_TLS_TERMINATION', False) is True:
Add option to properly handle external TLS Fixes #1984
2016-10-13 18:49:29 +00:00
return
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
# Verify that we have all the required SSL files.
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
for filename in SSL_FILENAMES:
Extract the config provider into its own sub-module
2015-07-24 18:52:19 +00:00
if not config_provider.volume_file_exists(filename):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing required SSL file: %s' % filename)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
# Read the contents of the SSL certificate.
Extract the config provider into its own sub-module
2015-07-24 18:52:19 +00:00
with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
cert_contents = f.read()
# Validate the certificate.
try:
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
certificate = load_certificate(cert_contents)
except CertInvalidException as cie:
raise ConfigValidationException('Could not load SSL certificate: %s' % cie.message)
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
# Verify the certificate has not expired.
if certificate.expired:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('The specified SSL certificate has expired.')
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
# Verify the hostname matches the name in the certificate.
if not certificate.matches_name(config['SERVER_HOSTNAME']):
msg = ('Supported names "%s" in SSL cert do not match server hostname "%s"' %
(', '.join(list(certificate.names)), config['SERVER_HOSTNAME']))
raise ConfigValidationException(msg)
# Verify the private key against the certificate.
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
private_key_path = None
Extract the config provider into its own sub-module
2015-07-24 18:52:19 +00:00
with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
private_key_path = f.name
if not private_key_path:
# Only in testing.
return
try:
Add SSL certificate utility and tests
2016-12-09 23:31:02 +00:00
certificate.validate_private_key(private_key_path)
except KeyInvalidException as kie:
raise ConfigValidationException('SSL private key failed to validate: %s' % kie.message)
Add SSL cert and key validation
2015-02-05 18:06:56 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_ldap(config, user_obj, password):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
""" Validates the LDAP connection. """
if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
return
Switch to install custom LDAP cert by name
2016-06-09 18:47:08 +00:00
# If there is a custom LDAP certificate, then reinstall the certificates for the container.
if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
Fix handling of custom LDAP cert This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs Fixes #1846
2016-09-19 21:55:08 +00:00
subprocess.check_call(['/conf/init/certs_install.sh'])
Switch to install custom LDAP cert by name
2016-06-09 18:47:08 +00:00
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
# Note: raises ldap.INVALID_CREDENTIALS on failure
admin_dn = config.get('LDAP_ADMIN_DN')
admin_passwd = config.get('LDAP_ADMIN_PASSWD')
if not admin_dn:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Admin DN for LDAP configuration')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
if not admin_passwd:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing Admin Password for LDAP configuration')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
Fix LDAP error and url handling to be more clear for the end user
2015-03-16 18:33:53 +00:00
if not ldap_uri.startswith('ldap://') and not ldap_uri.startswith('ldaps://'):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('LDAP URI must start with ldap:// or ldaps://')
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Add additional options for LDAP Fixes #1420
2016-05-03 19:02:39 +00:00
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
try:
Switch to install custom LDAP cert by name
2016-06-09 18:47:08 +00:00
with LDAPConnection(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback):
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
pass
except ldap.LDAPError as ex:
values = ex.args[0] if ex.args else {}
Fix LDAP error and url handling to be more clear for the end user
2015-03-16 18:33:53 +00:00
if not isinstance(values, dict):
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException(str(ex.args))
Fix LDAP error and url handling to be more clear for the end user
2015-03-16 18:33:53 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException(values.get('desc', 'Unknown error'))
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Remove `user_exists` endpoint from all auth systems
2015-06-22 22:17:37 +00:00
# Verify that the superuser exists. If not, raise an exception.
base_dn = config.get('LDAP_BASE_DN')
user_rdn = config.get('LDAP_USER_RDN', [])
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
Make email addresses optional in external auth if email feature is turned off Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-09-08 16:24:47 +00:00
requires_email = config.get('FEATURE_MAILING', True)
Remove `user_exists` endpoint from all auth systems
2015-06-22 22:17:37 +00:00
Add additional options for LDAP Fixes #1420
2016-05-03 19:02:39 +00:00
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
Make email addresses optional in external auth if email feature is turned off Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-09-08 16:24:47 +00:00
allow_tls_fallback, requires_email=requires_email)
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
username = user_obj.username
Refactor the users class into their own files, add a common base class for federated users and add a `verify_credentials` method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 15:39:59 +00:00
(result, err_msg) = users.verify_credentials(username, password)
Remove `user_exists` endpoint from all auth systems
2015-06-22 22:17:37 +00:00
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not exist ' +
'in the remote authentication system ' +
'OR LDAP auth is misconfigured.') % (username, err_msg)
raise ConfigValidationException(msg)
Remove `user_exists` endpoint from all auth systems
2015-06-22 22:17:37 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_jwt(config, user_obj, password):
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
""" Validates the JWT authentication system. """
if config.get('AUTHENTICATION_TYPE', 'Database') != 'JWT':
return
verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
Add support to ExternalJWT Auth for external user linking
2016-10-27 19:34:03 +00:00
query_endpoint = config.get('JWT_QUERY_ENDPOINT', None)
getuser_endpoint = config.get('JWT_GETUSER_ENDPOINT', None)
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
issuer = config.get('JWT_AUTH_ISSUER')
if not verify_endpoint:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing JWT Verification endpoint')
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
if not issuer:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing JWT Issuer ID')
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
# Try to instatiate the JWT authentication mechanism. This will raise an exception if
# the key cannot be found.
Add support to ExternalJWT Auth for external user linking
2016-10-27 19:34:03 +00:00
users = ExternalJWTAuthN(verify_endpoint, query_endpoint, getuser_endpoint, issuer,
OVERRIDE_CONFIG_DIRECTORY,
Automatically link the superuser account to federated service for auth When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
2015-07-20 17:18:07 +00:00
app.config['HTTPCLIENT'],
Make email addresses optional in external auth if email feature is turned off Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-09-08 16:24:47 +00:00
app.config.get('JWT_AUTH_MAX_FRESH_S', 300),
requires_email=config.get('FEATURE_MAILING', True))
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
# Verify that the superuser exists. If not, raise an exception.
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
username = user_obj.username
Refactor the users class into their own files, add a common base class for federated users and add a `verify_credentials` method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 15:39:59 +00:00
(result, err_msg) = users.verify_credentials(username, password)
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not ' +
'exist in the remote authentication system ' +
'OR JWT auth is misconfigured') % (username, err_msg)
raise ConfigValidationException(msg)
Add support to ExternalJWT Auth for external user linking
2016-10-27 19:34:03 +00:00
# If the query endpoint exists, ensure we can query to find the current user and that we can
# look up users directly.
if query_endpoint:
(results, err_msg) = users.query_users(username)
if not results:
err_msg = err_msg or ('Could not find users matching query: %s' % username)
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Query endpoint is misconfigured or not returning ' +
'proper users: %s' % err_msg)
Add support to ExternalJWT Auth for external user linking
2016-10-27 19:34:03 +00:00
# Make sure the get user endpoint is also configured.
if not getuser_endpoint:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('The lookup user endpoint must be configured if the ' +
'query endpoint is set')
Add support to ExternalJWT Auth for external user linking
2016-10-27 19:34:03 +00:00
(result, err_msg) = users.get_user(username)
if not result:
err_msg = err_msg or ('Could not find user %s' % username)
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Lookup endpoint is misconfigured or not returning ' +
'properly: %s' % err_msg)
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_keystone(config, user_obj, password):
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
""" Validates the Keystone authentication system. """
if config.get('AUTHENTICATION_TYPE', 'Database') != 'Keystone':
return
auth_url = config.get('KEYSTONE_AUTH_URL')
Add support to Keystone Auth for external user linking Also adds Keystone V3 support
2016-10-27 19:35:52 +00:00
auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
if not auth_url:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing authentication URL')
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
if not admin_username:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing admin username')
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
if not admin_password:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing admin password')
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
if not admin_tenant:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Missing admin tenant')
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
Make email addresses optional in external auth if email feature is turned off Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-09-08 16:24:47 +00:00
requires_email = config.get('FEATURE_MAILING', True)
users = get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
requires_email)
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
# Verify that the superuser exists. If not, raise an exception.
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
username = user_obj.username
Refactor the users class into their own files, add a common base class for federated users and add a `verify_credentials` method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 15:39:59 +00:00
(result, err_msg) = users.verify_credentials(username, password)
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
if not result:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
msg = ('Verification of superuser %s failed: %s \n\nThe user either does not ' +
'exist in the remote authentication system ' +
'OR Keystone auth is misconfigured.') % (username, err_msg)
raise ConfigValidationException(msg)
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_signer(config, user_obj, _):
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
""" Validates the GPG public+private key pair used for signing converted ACIs. """
if config.get('SIGNING_ENGINE') is None:
return
if config['SIGNING_ENGINE'] not in SIGNING_ENGINES:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Unknown signing engine: %s' % config['SIGNING_ENGINE'])
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
Switch to install custom LDAP cert by name
2016-06-09 18:47:08 +00:00
engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, config_provider)
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
engine.detached_sign(StringIO('test string'))
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_security_scanner(config, user_obj, _):
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
""" Validates the configuration for talking to a Quay Security Scanner. """
Refactor security scanner validation from single sleep to polling
2017-01-30 20:34:59 +00:00
client = app.config['HTTPCLIENT']
api = SecurityScannerAPI(app, config, None, client=client, skip_validation=True)
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
if not config.get('TESTING', False):
# Generate a temporary Quay key to use for signing the outgoing requests.
setup_jwt_proxy()
Refactor security scanner validation from single sleep to polling
2017-01-30 20:34:59 +00:00
# We have to wait for JWT proxy to restart with the newly generated key.
max_tries = 5
response = None
while max_tries > 0:
response = api.ping()
if response.status_code == 200:
return
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
Refactor security scanner validation from single sleep to polling
2017-01-30 20:34:59 +00:00
time.sleep(1)
max_tries = max_tries - 1
message = 'Expected 200 status code, got %s: %s' % (response.status_code, response.text)
raise ConfigValidationException('Could not ping security scanner: %s' % message)
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
def _validate_bittorrent(config, user_obj, _):
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
""" Validates the configuration for using BitTorrent for downloads. """
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
announce_url = config.get('BITTORRENT_ANNOUNCE_URL')
if not announce_url:
raise ConfigValidationException('Missing announce URL')
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
# Ensure that the tracker is reachable and accepts requests signed with a registry key.
client = app.config['HTTPCLIENT']
params = {
'info_hash': sha1('somedata').digest(),
'peer_id': '-QUAY00-6wfG2wk6wWLc',
'uploaded': 0,
'downloaded': 0,
'left': 0,
'numwant': 0,
'port': 80,
}
encoded_jwt = torrent_jwt(params)
params['jwt'] = encoded_jwt
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
resp = client.get(announce_url, timeout=5, params=params)
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
logger.debug('Got tracker response: %s: %s', resp.status_code, resp.text)
if resp.status_code == 404:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Announce path not found; did you forget `/announce`?')
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
if resp.status_code == 500:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Did not get expected response from Tracker; ' +
'please check your settings')
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
if resp.status_code == 200:
if 'invalid jwt' in resp.text:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Could not authorize to Tracker; is your Tracker ' +
'properly configured?')
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
if 'failure reason' in resp.text:
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
raise ConfigValidationException('Could not validate signed announce request: ' + resp.text)
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
Fix config validator for storage and add a test suite Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-29 20:20:46 +00:00
VALIDATORS = {
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
'database': _validate_database,
'redis': _validate_redis,
'registry-storage': _validate_registry_storage,
'mail': _validate_mailing,
Add validation of github to the config tool
2015-01-08 18:26:24 +00:00
'github-login': _validate_github('GITHUB_LOGIN_CONFIG'),
'github-trigger': _validate_github('GITHUB_TRIGGER_CONFIG'),
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 18:50:26 +00:00
'gitlab-trigger': _validate_gitlab,
'bitbucket-trigger': _validate_bitbucket,
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 18:56:17 +00:00
'google-login': _validate_google_login,
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 21:20:51 +00:00
'ssl': _validate_ssl,
'ldap': _validate_ldap,
Add support for an external JWT-based authentication system This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 22:19:22 +00:00
'jwt': _validate_jwt,
Basic Keystone Auth support Note: This has been verified as working by the end customer
2015-07-13 09:34:32 +00:00
'keystone': _validate_keystone,
Add UI to the setup tool for enabling ACI conversion Fixes #1211
2016-02-16 20:31:23 +00:00
'signer': _validate_signer,
Implement setup tool support for Clair Fixes #1387
2016-05-02 19:29:31 +00:00
'security-scanner': _validate_security_scanner,
Add QE setup tool support for BitTorrent downloads Fixes #1871
2016-09-26 09:13:59 +00:00
'bittorrent': _validate_bittorrent,
Automatically link the superuser account to federated service for auth When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
2015-07-20 17:18:07 +00:00
}
Reference in a new issue Copy permalink