vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Remove user_exists endpoint from all auth systems

Browse source
This commit is contained in:
Joseph Schorr 2015-06-22 18:17:37 -04:00
parent b21a033ef3
commit 07439328a4
6 changed files with 102 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

58
util/config/validator.py
View file

@ -7,7 +7,7 @@ import OpenSSL
import logging
from fnmatch import fnmatch
from data.users import LDAPConnection, JWTAuthUsers
from data.users import LDAPConnection, JWTAuthUsers, LDAPUsers
from flask import Flask
from flask.ext.mail import Mail, Message
from data.database import validate_database_url, User
@ -31,7 +31,7 @@ def get_storage_provider(config):
except TypeError:
raise Exception('Missing required storage configuration parameter(s)')
def validate_service_for_config(service, config):
def validate_service_for_config(service, config, password=None):
""" Attempts to validate the configuration for the given service. """
if not service in _VALIDATORS:
return {
@ -39,7 +39,7 @@ def validate_service_for_config(service, config):
}
try:
_VALIDATORS[service](config)
_VALIDATORS[service](config, password)
return {
'status': True
}
@ -51,7 +51,7 @@ def validate_service_for_config(service, config):
}
def _validate_database(config):
def _validate_database(config, _):
""" Validates connecting to the database. """
try:
validate_database_url(config['DB_URI'])
@ -62,7 +62,7 @@ def _validate_database(config):
raise ex
def _validate_redis(config):
def _validate_redis(config, _):
""" Validates connecting to redis. """
redis_config = config.get('BUILDLOGS_REDIS', {})
if not 'host' in redis_config:
@ -72,7 +72,7 @@ def _validate_redis(config):
client.ping()
def _validate_registry_storage(config):
def _validate_registry_storage(config, _):
""" Validates registry storage. """
driver = get_storage_provider(config)
@ -87,7 +87,7 @@ def _validate_registry_storage(config):
raise Exception('Could not prepare storage: %s' % str(ex))
def _validate_mailing(config):
def _validate_mailing(config, _):
""" Validates sending email. """
test_app = Flask("mail-test-app")
test_app.config.update(config)
@ -103,7 +103,7 @@ def _validate_mailing(config):
test_mail.send(test_msg)
def _validate_gitlab(config):
def _validate_gitlab(config, _):
""" Validates the OAuth credentials and API endpoint for a GitLab service. """
github_config = config.get('GITLAB_TRIGGER_CONFIG')
if not github_config:
@ -130,7 +130,7 @@ def _validate_gitlab(config):
def _validate_github(config_key):
return lambda config: _validate_github_with_key(config_key, config)
return lambda config, _: _validate_github_with_key(config_key, config)
def _validate_github_with_key(config_key, config):
@ -167,7 +167,7 @@ def _validate_github_with_key(config_key, config):
raise Exception('Invalid organization: %s' % org_id)
def _validate_bitbucket(config):
def _validate_bitbucket(config, _):
""" Validates the config for BitBucket. """
trigger_config = config.get('BITBUCKET_TRIGGER_CONFIG')
if not trigger_config:
@ -189,7 +189,7 @@ def _validate_bitbucket(config):
raise Exception('Invaid consumer key or secret')
def _validate_google_login(config):
def _validate_google_login(config, _):
""" Validates the Google Login client ID and secret. """
google_login_config = config.get('GOOGLE_LOGIN_CONFIG')
if not google_login_config:
@ -208,7 +208,7 @@ def _validate_google_login(config):
raise Exception('Invalid client id or client secret')
def _validate_ssl(config):
def _validate_ssl(config, _):
""" Validates the SSL configuration (if enabled). """
if config.get('PREFERRED_URL_SCHEME', 'http') != 'https':
return
@ -276,7 +276,7 @@ def _validate_ssl(config):
def _validate_ldap(config):
def _validate_ldap(config, password):
""" Validates the LDAP connection. """
if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
return
@ -305,37 +305,47 @@ def _validate_ldap(config):
raise Exception(values.get('desc', 'Unknown error'))
# Verify that the superuser exists. If not, raise an exception.
base_dn = config.get('LDAP_BASE_DN')
user_rdn = config.get('LDAP_USER_RDN', [])
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
def _validate_jwt(config):
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)
username = get_authenticated_user().username
(result, err_msg) = users.verify_user(username, password)
if not result:
raise Exception(('Verification of superuser %s failed: %s. \n\nThe user either does not exist ' +
'in the remote authentication system ' +
'OR LDAP auth is misconfigured.') % (username, err_msg))
def _validate_jwt(config, password):
""" Validates the JWT authentication system. """
if config.get('AUTHENTICATION_TYPE', 'Database') != 'JWT':
return
verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
exists_endpoint = config.get('JWT_EXISTS_ENDPOINT')
issuer = config.get('JWT_AUTH_ISSUER')
if not verify_endpoint:
raise Exception('Missing JWT Verification endpoint')
if not exists_endpoint:
raise Exception('Missing JWT Exists endpoint')
if not issuer:
raise Exception('Missing JWT Issuer ID')
# Try to instatiate the JWT authentication mechanism. This will raise an exception if
# the key cannot be found.
users = JWTAuthUsers(exists_endpoint, verify_endpoint, issuer,
OVERRIDE_CONFIG_DIRECTORY,
app.config['HTTPCLIENT'])
users = JWTAuthUsers(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY, app.config['HTTPCLIENT'])
# Verify that the superuser exists. If not, raise an exception.
username = get_authenticated_user().username
result = users.user_exists(username)
(result, err_msg) = users.verify_user(username, password)
if not result:
raise Exception(('Verification of superuser %s failed. The user either does not exist ' +
'in the remote authentication system OR JWT auth is misconfigured.') % username)
raise Exception(('Verification of superuser %s failed: %s. \n\nThe user either does not ' +
'exist in the remote authentication system ' +
'OR JWT auth is misconfigured.') % (username, err_msg))
_VALIDATORS = {