From 3bf8973fd9f76e66601affb443ea9c0fc4a81724 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Fri, 27 Oct 2017 14:55:49 -0400 Subject: [PATCH] Change app registry to use the credentials verification system Allows for tokens, OAuth tokens and robot accounts to be used as well Fixes https://jira.prod.coreos.systems/browse/QS-36 --- auth/credentials.py | 1 + endpoints/appr/registry.py | 9 +++++---- endpoints/v1/index.py | 10 +++++++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/auth/credentials.py b/auth/credentials.py index e1e6b5bf0..4b15a2cbe 100644 --- a/auth/credentials.py +++ b/auth/credentials.py @@ -13,6 +13,7 @@ logger = logging.getLogger(__name__) ACCESS_TOKEN_USERNAME = '$token' OAUTH_TOKEN_USERNAME = '$oauthtoken' + class CredentialKind(Enum): user = 'user' robot = 'robot' diff --git a/endpoints/appr/registry.py b/endpoints/appr/registry.py index 8d7e988b3..4c73fcffb 100644 --- a/endpoints/appr/registry.py +++ b/endpoints/appr/registry.py @@ -11,6 +11,7 @@ from cnr.exception import ( from flask import jsonify, request from auth.auth_context import get_authenticated_user +from auth.credentials import validate_credentials from auth.decorators import process_auth from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write @@ -56,11 +57,11 @@ def login(): if not username or not password: raise InvalidUsage('Missing username or password') - user, err = User.get_user(username, password) - if err is not None: - raise UnauthorizedAccess(err) + result, _ = validate_credentials(username, password) + if not result.auth_valid: + raise UnauthorizedAccess(result.error_message) - return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))}) + return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))}) # @TODO: Redirect to S3 url diff --git a/endpoints/v1/index.py b/endpoints/v1/index.py index 30aa72235..42e1b26d0 100644 --- a/endpoints/v1/index.py +++ b/endpoints/v1/index.py @@ -96,9 +96,13 @@ def create_user(): if kind == CredentialKind.oauth_token: abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token') - # Mark that the login failed. - event = userevents.get_event(username) - event.publish_event_data('docker-cli', {'action': 'loginfailure'}) + if kind == CredentialKind.user: + # Mark that the login failed. + event = userevents.get_event(username) + event.publish_event_data('docker-cli', {'action': 'loginfailure'}) + abort(400, result.error_message, issue='login-failure') + + # Default case: Just fail. abort(400, result.error_message, issue='login-failure') if result.has_user: