vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Automatically link the superuser account to federated service for auth

Browse source 
When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
This commit is contained in:
Joseph Schorr 2015-07-20 13:18:07 -04:00
parent 33b54218cc
commit 38a6b3621c
5 changed files with 37 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
data/model/user.py
View file

@ -295,6 +295,15 @@ def list_entity_robot_permission_teams(entity_name, include_permissions=False):
return TupleSelector(query, fields) return TupleSelector(query, fields)
def confirm_attached_federated_login(user, service_name):
""" Verifies that the given user has a federated service identity for the specified service.
If none found, a row is added for that service and user.
"""
with db_transaction():
if not lookup_federated_login(user, service_name):
attach_federated_login(user, service_name, user.username)
def create_federated_user(username, email, service_name, service_id, def create_federated_user(username, email, service_name, service_id,
set_password_notification, metadata={}): set_password_notification, metadata={}):
if not is_create_user_allowed(): if not is_create_user_allowed():

17
data/users/__init__.py
View file

@ -15,6 +15,19 @@ from util.aes import AESCipher
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
def get_federated_service_name(authentication_type):
if authentication_type == 'LDAP':
return 'ldap'
if authentication_type == 'JWT':
return 'jwtauthn'
if authentication_type == 'Keystone':
return 'keystone'
raise Exception('Unknown auth type: %s' % authentication_type)
class UserAuthentication(object): class UserAuthentication(object):
def __init__(self, app=None, override_config_dir=None): def __init__(self, app=None, override_config_dir=None):
self.app_secret_key = None self.app_secret_key = None
@ -45,8 +58,8 @@ class UserAuthentication(object):
verify_url = app.config.get('JWT_VERIFY_ENDPOINT') verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
issuer = app.config.get('JWT_AUTH_ISSUER') issuer = app.config.get('JWT_AUTH_ISSUER')
max_fresh_s = app.config.get('JWT_AUTH_MAX_FRESH_S', 300) max_fresh_s = app.config.get('JWT_AUTH_MAX_FRESH_S', 300)
users = ExternalJWTAuthN(verify_url, issuer, override_config_dir, max_fresh_s, users = ExternalJWTAuthN(verify_url, issuer, override_config_dir,
app.config['HTTPCLIENT']) app.config['HTTPCLIENT'], max_fresh_s)
elif authentication_type == 'Keystone': elif authentication_type == 'Keystone':
auth_url = app.config.get('KEYSTONE_AUTH_URL') auth_url = app.config.get('KEYSTONE_AUTH_URL')
keystone_admin_username = app.config.get('KEYSTONE_ADMIN_USERNAME') keystone_admin_username = app.config.get('KEYSTONE_ADMIN_USERNAME')

9
endpoints/api/suconfig.py
View file

@ -13,10 +13,12 @@ from app import app, CONFIG_PROVIDER, superusers
from data import model from data import model
from data.database import configure from data.database import configure
from auth.permissions import SuperUserPermission from auth.permissions import SuperUserPermission
from auth.auth_context import get_authenticated_user
from data.database import User from data.database import User
from util.config.configutil import add_enterprise_config_defaults from util.config.configutil import add_enterprise_config_defaults
from util.config.validator import validate_service_for_config, CONFIG_FILENAMES from util.config.validator import validate_service_for_config, CONFIG_FILENAMES
from data.runmigration import run_alembic_migration from data.runmigration import run_alembic_migration
from data.users import get_federated_service_name
import features import features
@ -208,6 +210,13 @@ class SuperUserConfig(ApiResource):
# Write the configuration changes to the YAML file. # Write the configuration changes to the YAML file.
CONFIG_PROVIDER.save_yaml(config_object) CONFIG_PROVIDER.save_yaml(config_object)
# If the authentication system is not the database, link the superuser account to the
# the authentication system chosen.
if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
current_user = get_authenticated_user()
model.user.confirm_attached_federated_login(current_user, service_name)
return { return {
'exists': True, 'exists': True,
'config': config_object 'config': config_object

2
static/js/core-config-setup.js
View file

@ -207,7 +207,7 @@ angular.module("core-config-setup", ['angularFileUpload'])
'</form>', '</form>',
"title": 'Enter Password', "title": 'Enter Password',
"buttons": { "buttons": {
"verify": { "success": {
"label": "Validate Config", "label": "Validate Config",
"className": "btn-success", "className": "btn-success",
"callback": function() { "callback": function() {

5
util/config/validator.py
View file

@ -344,7 +344,8 @@ def _validate_jwt(config, password):
# Try to instatiate the JWT authentication mechanism. This will raise an exception if # Try to instatiate the JWT authentication mechanism. This will raise an exception if
# the key cannot be found. # the key cannot be found.
users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY, users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY,
app.config['HTTPCLIENT']) app.config['HTTPCLIENT'],
app.config.get('JWT_AUTH_MAX_FRESH_S', 300))
# Verify that the superuser exists. If not, raise an exception. # Verify that the superuser exists. If not, raise an exception.
username = get_authenticated_user().username username = get_authenticated_user().username
@ -403,4 +404,4 @@ _VALIDATORS = {
'ldap': _validate_ldap, 'ldap': _validate_ldap,
'jwt': _validate_jwt, 'jwt': _validate_jwt,
'keystone': _validate_keystone, 'keystone': _validate_keystone,
} }