commit
1a03d36f30
19 changed files with 291 additions and 37 deletions
|
@ -2,6 +2,7 @@
|
|||
|
||||
The following are features that have been merged, but not yet deployed:
|
||||
|
||||
- Add ability to disable users via the superuser panel (#26)
|
||||
- Add a Changelog view to the superuser panel (#186)
|
||||
|
||||
### 1.9.7
|
||||
|
|
|
@ -35,6 +35,10 @@ def _load_user_from_cookie():
|
|||
logger.debug('Loading user from cookie: %s', current_user.get_id())
|
||||
db_user = current_user.db_user()
|
||||
if db_user is not None:
|
||||
# Don't allow disabled users to login.
|
||||
if not db_user.enabled:
|
||||
return None
|
||||
|
||||
set_authenticated_user(db_user)
|
||||
loaded = QuayDeferredPermissionUser.for_user(db_user)
|
||||
identity_changed.send(app, identity=loaded)
|
||||
|
@ -62,6 +66,10 @@ def _validate_and_apply_oauth_token(token):
|
|||
abort(401, message='OAuth access token has expired: %(token)s',
|
||||
issue='invalid-oauth-token', token=token, headers=authenticate_header)
|
||||
|
||||
# Don't allow disabled users to login.
|
||||
if not validated.authorized_user.enabled:
|
||||
return None
|
||||
|
||||
# We have a valid token
|
||||
scope_set = scopes.scopes_from_scope_string(validated.scope)
|
||||
logger.debug('Successfully validated oauth access token: %s with scope: %s', token,
|
||||
|
|
|
@ -17,6 +17,9 @@ def get_authenticated_user():
|
|||
|
||||
logger.debug('Loading deferred authenticated user.')
|
||||
loaded = model.get_user_by_uuid(user_uuid)
|
||||
if not loaded.enabled:
|
||||
return None
|
||||
|
||||
set_authenticated_user(loaded)
|
||||
user = loaded
|
||||
|
||||
|
@ -26,6 +29,9 @@ def get_authenticated_user():
|
|||
|
||||
|
||||
def set_authenticated_user(user_or_robot):
|
||||
if not user_or_robot.enabled:
|
||||
raise Exception('Attempt to authenticate a disabled user/robot: %s' % user_or_robot.username)
|
||||
|
||||
ctx = _request_ctx_stack.top
|
||||
ctx.authenticated_user = user_or_robot
|
||||
|
||||
|
|
|
@ -193,6 +193,7 @@ class User(BaseModel):
|
|||
invalid_login_attempts = IntegerField(default=0)
|
||||
last_invalid_login = DateTimeField(default=datetime.utcnow)
|
||||
removed_tag_expiration_s = IntegerField(default=1209600) # Two weeks
|
||||
enabled = BooleanField(default=True)
|
||||
|
||||
def delete_instance(self, recursive=False, delete_nullable=False):
|
||||
# If we are deleting a robot account, only execute the subset of queries necessary.
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
"""Add enabled column to the user system
|
||||
|
||||
Revision ID: 154f2befdfbe
|
||||
Revises: 41f4587c84ae
|
||||
Create Date: 2015-05-11 17:02:43.507847
|
||||
|
||||
"""
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = '154f2befdfbe'
|
||||
down_revision = '41f4587c84ae'
|
||||
|
||||
from alembic import op
|
||||
import sqlalchemy as sa
|
||||
|
||||
|
||||
def upgrade(tables):
|
||||
### commands auto generated by Alembic - please adjust! ###
|
||||
op.add_column('user', sa.Column('enabled', sa.Boolean(), nullable=False, default=True))
|
||||
### end Alembic commands ###
|
||||
|
||||
|
||||
def downgrade(tables):
|
||||
### commands auto generated by Alembic - please adjust! ###
|
||||
op.drop_column('user', 'enabled')
|
||||
### end Alembic commands ###
|
|
@ -67,6 +67,7 @@ class InvalidRobotException(DataModelException):
|
|||
class InvalidTeamException(DataModelException):
|
||||
pass
|
||||
|
||||
|
||||
class InvalidTeamMemberException(DataModelException):
|
||||
pass
|
||||
|
||||
|
@ -259,16 +260,35 @@ def lookup_robot(robot_username):
|
|||
return found[0]
|
||||
|
||||
def verify_robot(robot_username, password):
|
||||
joined = User.select().join(FederatedLogin).join(LoginService)
|
||||
found = list(joined.where(FederatedLogin.service_ident == password,
|
||||
LoginService.name == 'quayrobot',
|
||||
User.username == robot_username))
|
||||
if not found:
|
||||
result = parse_robot_username(robot_username)
|
||||
if result is None:
|
||||
raise InvalidRobotException('%s is an invalid robot name' % robot_username)
|
||||
|
||||
# Find the matching robot.
|
||||
query = (User.select()
|
||||
.join(FederatedLogin)
|
||||
.join(LoginService)
|
||||
.where(FederatedLogin.service_ident == password,
|
||||
LoginService.name == 'quayrobot',
|
||||
User.username == robot_username))
|
||||
|
||||
try:
|
||||
robot = query.get()
|
||||
except User.DoesNotExist:
|
||||
msg = ('Could not find robot with username: %s and supplied password.' %
|
||||
robot_username)
|
||||
raise InvalidRobotException(msg)
|
||||
|
||||
return found[0]
|
||||
# Find the owner user and ensure it is not disabled.
|
||||
try:
|
||||
owner = User.get(User.username == result[0])
|
||||
except User.DoesNotExist:
|
||||
raise InvalidRobotException('Robot %s owner does not exist' % robot_username)
|
||||
|
||||
if not owner.enabled:
|
||||
raise InvalidRobotException('This user has been disabled. Please contact your administrator.')
|
||||
|
||||
return robot
|
||||
|
||||
def regenerate_robot_token(robot_shortname, parent):
|
||||
robot_username = format_robot_username(parent.username, robot_shortname)
|
||||
|
|
|
@ -410,7 +410,14 @@ class UserAuthentication(object):
|
|||
else:
|
||||
password = decrypted
|
||||
|
||||
return self.state.verify_user(username_or_email, password)
|
||||
(result, err_msg) = self.state.verify_user(username_or_email, password)
|
||||
if not result:
|
||||
return (result, err_msg)
|
||||
|
||||
if not result.enabled:
|
||||
return (None, 'This user has been disabled. Please contact your administrator.')
|
||||
|
||||
return (result, err_msg)
|
||||
|
||||
def __getattr__(self, name):
|
||||
return getattr(self.state, name, None)
|
||||
|
|
|
@ -115,7 +115,8 @@ def user_view(user):
|
|||
'email': user.email,
|
||||
'verified': user.verified,
|
||||
'avatar': avatar.get_data_for_user(user),
|
||||
'super_user': superusers.is_superuser(user.username)
|
||||
'super_user': superusers.is_superuser(user.username),
|
||||
'enabled': user.enabled
|
||||
}
|
||||
|
||||
@resource('/v1/superuser/changelog/')
|
||||
|
@ -335,6 +336,11 @@ class SuperUserManagement(ApiResource):
|
|||
if 'email' in user_data:
|
||||
model.update_email(user, user_data['email'], auto_verify=True)
|
||||
|
||||
if 'enabled' in user_data:
|
||||
# Disable/enable the user.
|
||||
user.enabled = bool(user_data['enabled'])
|
||||
user.save()
|
||||
|
||||
return user_view(user)
|
||||
|
||||
abort(403)
|
||||
|
|
|
@ -403,6 +403,7 @@ def conduct_signin(username_or_email, password):
|
|||
return {
|
||||
'needsEmailVerification': needs_email_verification,
|
||||
'invalidCredentials': invalid_credentials,
|
||||
'message': error_message
|
||||
}, 403
|
||||
|
||||
|
||||
|
|
|
@ -330,6 +330,12 @@ def populate_database():
|
|||
new_user_1.stripe_id = TEST_STRIPE_ID
|
||||
new_user_1.save()
|
||||
|
||||
disabled_user = model.create_user('disabled', 'password',
|
||||
'jschorr+disabled@devtable.com')
|
||||
disabled_user.verified = True
|
||||
disabled_user.enabled = False
|
||||
disabled_user.save()
|
||||
|
||||
dtrobot = model.create_robot('dtrobot', new_user_1)
|
||||
|
||||
new_user_2 = model.create_user('public', 'password',
|
||||
|
|
25
static/css/pages/superuser.css
Normal file
25
static/css/pages/superuser.css
Normal file
|
@ -0,0 +1,25 @@
|
|||
.super-user .user-row {
|
||||
border-bottom: 0px;
|
||||
}
|
||||
|
||||
.super-user .user-row td {
|
||||
vertical-align: middle;
|
||||
}
|
||||
|
||||
.super-user .user-row .user-class {
|
||||
text-transform: uppercase;
|
||||
}
|
||||
|
||||
.super-user .user-row .labels {
|
||||
float: right;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
.super-user .user-row .labels .label {
|
||||
text-transform: uppercase;
|
||||
margin-right: 10px;
|
||||
}
|
||||
|
||||
.super-user .user-row.disabled .avatar {
|
||||
-webkit-filter: grayscale(100%);
|
||||
}
|
|
@ -3928,28 +3928,6 @@ pre.command:before {
|
|||
padding: 6px;
|
||||
}
|
||||
|
||||
.user-row {
|
||||
border-bottom: 0px;
|
||||
}
|
||||
|
||||
.user-row td {
|
||||
vertical-align: middle;
|
||||
}
|
||||
|
||||
.user-row .user-class {
|
||||
text-transform: uppercase;
|
||||
}
|
||||
|
||||
.user-row .labels {
|
||||
float: right;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
.user-row .labels .label {
|
||||
text-transform: uppercase;
|
||||
margin-right: 10px;
|
||||
}
|
||||
|
||||
.form-change input {
|
||||
margin-top: 12px;
|
||||
margin-bottom: 12px;
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
<div class="signin-form-element">
|
||||
<span class="quay-spinner" ng-show="signingIn"></span>
|
||||
<div class="signin-form-element" style="position: relative">
|
||||
<span class="cor-loader" ng-show="signingIn"></span>
|
||||
<form class="form-signin" ng-submit="signin();" ng-show="!signingIn">
|
||||
<input type="text" class="form-control input-lg" name="username"
|
||||
placeholder="Username or E-mail Address" ng-model="user.username" autofocus>
|
||||
<input type="password" class="form-control input-lg" name="password"
|
||||
placeholder="Password" ng-model="user.password">
|
||||
|
||||
<div class="alert alert-warning" ng-show="tryAgainSoon > 0">
|
||||
<div class="co-alert co-alert-warning" ng-show="tryAgainSoon > 0">
|
||||
Too many attempts have been made to login. Please try again in {{ tryAgainSoon }} second<span ng-if="tryAgainSoon != 1">s</span>.
|
||||
</div>
|
||||
|
||||
|
@ -23,8 +23,10 @@
|
|||
</span>
|
||||
</form>
|
||||
|
||||
<div class="alert alert-danger" ng-show="invalidCredentials">Invalid username or password.</div>
|
||||
<div class="alert alert-danger" ng-show="needsEmailVerification">
|
||||
<div class="co-alert co-alert-danger" ng-show="invalidCredentials">
|
||||
{{ invalidCredentialsMessage || 'Invalid username or password.' }}
|
||||
</div>
|
||||
<div class="co-alert co-alert-danger" ng-show="needsEmailVerification">
|
||||
You must verify your email address before you can sign in.
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
@ -53,6 +53,7 @@ angular.module('quay').directive('signinForm', function () {
|
|||
$scope.signingIn = false;
|
||||
$scope.needsEmailVerification = false;
|
||||
$scope.invalidCredentials = false;
|
||||
$scope.invalidCredentialsMessage = null;
|
||||
|
||||
if ($scope.signedIn != null) {
|
||||
$scope.signedIn();
|
||||
|
@ -77,6 +78,7 @@ angular.module('quay').directive('signinForm', function () {
|
|||
if (result.status == 429 /* try again later */) {
|
||||
$scope.needsEmailVerification = false;
|
||||
$scope.invalidCredentials = false;
|
||||
$scope.invalidCredentialsMessage = null;
|
||||
|
||||
$scope.cancelInterval();
|
||||
|
||||
|
@ -87,9 +89,12 @@ angular.module('quay').directive('signinForm', function () {
|
|||
$scope.cancelInterval();
|
||||
}
|
||||
}, 1000, $scope.tryAgainSoon);
|
||||
} else if (result.status == 400) {
|
||||
bootbox.alert(ApiService.getErrorMessage(result));
|
||||
} else {
|
||||
$scope.needsEmailVerification = result.data.needsEmailVerification;
|
||||
$scope.invalidCredentials = result.data.invalidCredentials;
|
||||
$scope.invalidCredentialsMessage = result.data.message;
|
||||
}
|
||||
});
|
||||
};
|
||||
|
|
|
@ -232,6 +232,32 @@
|
|||
});
|
||||
};
|
||||
|
||||
$scope.askDisableUser = function(user) {
|
||||
var message = 'Are you sure you want to disable this user? ' +
|
||||
'They will be unable to login, pull or push.'
|
||||
|
||||
if (!user.enabled) {
|
||||
message = 'Are you sure you want to reenable this user? ' +
|
||||
'They will be able to login, pull or push.'
|
||||
}
|
||||
|
||||
bootbox.confirm(message, function(resp) {
|
||||
if (resp) {
|
||||
var params = {
|
||||
'username': user.username
|
||||
};
|
||||
|
||||
var data = {
|
||||
'enabled': !user.enabled
|
||||
};
|
||||
|
||||
ApiService.changeInstallUser(data, params).then(function(resp) {
|
||||
$scope.loadUsersInternal();
|
||||
});
|
||||
}
|
||||
});
|
||||
};
|
||||
|
||||
$scope.changeUserPassword = function(user) {
|
||||
$('#changePasswordModal').modal('hide');
|
||||
|
||||
|
|
|
@ -156,7 +156,8 @@
|
|||
</thead>
|
||||
|
||||
<tr ng-repeat="current_user in (users | filter:search | orderBy:'username')"
|
||||
class="user-row">
|
||||
class="user-row"
|
||||
ng-class="current_user.enabled ? 'enabled': 'disabled'">
|
||||
<td>
|
||||
<span class="avatar" data="current_user.avatar" size="24"></span>
|
||||
</td>
|
||||
|
@ -165,6 +166,8 @@
|
|||
<span class="label label-success" ng-if="user.username == current_user.username">You</span>
|
||||
<span class="label label-primary"
|
||||
ng-if="current_user.super_user">Superuser</span>
|
||||
<span class="label label-default"
|
||||
ng-if="!current_user.enabled">Disabled</span>
|
||||
</span>
|
||||
{{ current_user.username }}
|
||||
</td>
|
||||
|
@ -187,6 +190,9 @@
|
|||
<span class="cor-option" option-click="showDeleteUser(current_user)">
|
||||
<i class="fa fa-times"></i> Delete User
|
||||
</span>
|
||||
<span class="cor-option" option-click="askDisableUser(current_user)">
|
||||
<i class="fa" ng-class="current_user.enabled ? 'fa-circle-o' : 'fa-check-circle-o'"></i> <span ng-if="current_user.enabled">Disable</span> <span ng-if="!current_user.enabled">Enable</span> User
|
||||
</span>
|
||||
</span>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
Binary file not shown.
130
test/test_auth.py
Normal file
130
test/test_auth.py
Normal file
|
@ -0,0 +1,130 @@
|
|||
import unittest
|
||||
import base64
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
from app import app
|
||||
from data import model
|
||||
from data.database import OAuthApplication, OAuthAccessToken
|
||||
from flask import g
|
||||
from flask.ext.principal import identity_loaded
|
||||
|
||||
from auth.auth import _process_basic_auth
|
||||
from endpoints.api import api_bp, api
|
||||
from endpoints.api.user import User, Signin
|
||||
|
||||
import json as py_json
|
||||
from test.test_api_usage import ApiTestCase
|
||||
|
||||
ADMIN_ACCESS_USER = 'devtable'
|
||||
DISABLED_USER = 'disabled'
|
||||
|
||||
@identity_loaded.connect_via(app)
|
||||
def on_identity_loaded(sender, identity):
|
||||
g.identity = identity
|
||||
|
||||
class TestAuth(ApiTestCase):
|
||||
def verify_cookie_auth(self, username):
|
||||
resp = self.getJsonResponse(User)
|
||||
self.assertEquals(resp['username'], username)
|
||||
|
||||
def verify_identity(self, id):
|
||||
try:
|
||||
identity = g.identity
|
||||
except:
|
||||
identity = None
|
||||
|
||||
self.assertIsNotNone(identity)
|
||||
self.assertEquals(identity.id, id)
|
||||
|
||||
def verify_no_identity(self):
|
||||
try:
|
||||
identity = g.identity
|
||||
except:
|
||||
identity = None
|
||||
|
||||
self.assertIsNone(identity)
|
||||
|
||||
def conduct_basic_auth(self, username, password):
|
||||
encoded = base64.b64encode(username + ':' + password)
|
||||
try:
|
||||
_process_basic_auth('Basic ' + encoded)
|
||||
except:
|
||||
pass
|
||||
|
||||
def create_oauth(self, user):
|
||||
oauth_app = OAuthApplication.create(client_id='onetwothree', redirect_uri='',
|
||||
application_uri='', organization=user,
|
||||
name='someapp')
|
||||
|
||||
expires_at = datetime.utcnow() + timedelta(seconds=50000)
|
||||
OAuthAccessToken.create(application=oauth_app, authorized_user=user,
|
||||
scope='repo:admin',
|
||||
access_token='access1234', token_type='Bearer',
|
||||
expires_at=expires_at, refresh_token=None, data={})
|
||||
|
||||
def test_login(self):
|
||||
password = 'password'
|
||||
resp = self.postJsonResponse(Signin, data=dict(username=ADMIN_ACCESS_USER, password=password))
|
||||
self.assertTrue(resp.get('success'))
|
||||
self.verify_cookie_auth(ADMIN_ACCESS_USER)
|
||||
|
||||
def test_login_disabled(self):
|
||||
password = 'password'
|
||||
self.postJsonResponse(Signin, data=dict(username=DISABLED_USER, password=password),
|
||||
expected_code=403)
|
||||
|
||||
def test_basic_auth_user(self):
|
||||
user = model.get_user(ADMIN_ACCESS_USER)
|
||||
self.conduct_basic_auth(ADMIN_ACCESS_USER, 'password')
|
||||
self.verify_identity(user.uuid)
|
||||
|
||||
def test_basic_auth_disabled_user(self):
|
||||
user = model.get_user(DISABLED_USER)
|
||||
self.conduct_basic_auth(DISABLED_USER, 'password')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_basic_auth_token(self):
|
||||
token = model.create_delegate_token(ADMIN_ACCESS_USER, 'simple', 'sometoken')
|
||||
self.conduct_basic_auth('$token', token.code)
|
||||
self.verify_identity(token.code)
|
||||
|
||||
def test_basic_auth_invalid_token(self):
|
||||
self.conduct_basic_auth('$token', 'foobar')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_basic_auth_invalid_user(self):
|
||||
self.conduct_basic_auth('foobarinvalid', 'foobar')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_oauth_invalid(self):
|
||||
self.conduct_basic_auth('$oauthtoken', 'foobar')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_oauth_valid_user(self):
|
||||
user = model.get_user(ADMIN_ACCESS_USER)
|
||||
self.create_oauth(user)
|
||||
self.conduct_basic_auth('$oauthtoken', 'access1234')
|
||||
self.verify_identity(user.uuid)
|
||||
|
||||
def test_oauth_disabled_user(self):
|
||||
user = model.get_user(DISABLED_USER)
|
||||
self.create_oauth(user)
|
||||
self.conduct_basic_auth('$oauthtoken', 'access1234')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_basic_auth_robot(self):
|
||||
user = model.get_user(ADMIN_ACCESS_USER)
|
||||
robot, passcode = model.get_robot('dtrobot', user)
|
||||
self.conduct_basic_auth(robot.username, passcode)
|
||||
self.verify_identity(robot.uuid)
|
||||
|
||||
def test_basic_auth_robot_invalidcode(self):
|
||||
user = model.get_user(ADMIN_ACCESS_USER)
|
||||
robot, _ = model.get_robot('dtrobot', user)
|
||||
self.conduct_basic_auth(robot.username, 'someinvalidcode')
|
||||
self.verify_no_identity()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
||||
|
|
@ -43,7 +43,7 @@ def abort(status_code, message=None, issue=None, headers=None, **kwargs):
|
|||
message = (str(message) % kwargs if message else
|
||||
DEFAULT_MESSAGE.get(status_code, ''))
|
||||
|
||||
params = dict(request.view_args)
|
||||
params = dict(request.view_args or {})
|
||||
params.update(kwargs)
|
||||
|
||||
params['url'] = request.url
|
||||
|
|
Reference in a new issue