vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Change app registry to use the credentials verification system

Browse source 
Allows for tokens, OAuth tokens and robot accounts to be used as well

Fixes https://jira.prod.coreos.systems/browse/QS-36
This commit is contained in:
Joseph Schorr 2017-10-27 14:55:49 -04:00 committed by Joseph Schorr
parent aa49b37ad2
commit 3bf8973fd9
3 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
auth/credentials.py
View file

@ -13,6 +13,7 @@ logger = logging.getLogger(__name__)
ACCESS_TOKEN_USERNAME = '$token' ACCESS_TOKEN_USERNAME = '$token'
OAUTH_TOKEN_USERNAME = '$oauthtoken' OAUTH_TOKEN_USERNAME = '$oauthtoken'
class CredentialKind(Enum): class CredentialKind(Enum):
user = 'user' user = 'user'
robot = 'robot' robot = 'robot'

9
endpoints/appr/registry.py
View file

@ -11,6 +11,7 @@ from cnr.exception import (
from flask import jsonify, request from flask import jsonify, request
from auth.auth_context import get_authenticated_user from auth.auth_context import get_authenticated_user
from auth.credentials import validate_credentials
from auth.decorators import process_auth from auth.decorators import process_auth
from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write
@ -56,11 +57,11 @@ def login():
if not username or not password: if not username or not password:
raise InvalidUsage('Missing username or password') raise InvalidUsage('Missing username or password')
user, err = User.get_user(username, password) result, _ = validate_credentials(username, password)
if err is not None: if not result.auth_valid:
raise UnauthorizedAccess(err) raise UnauthorizedAccess(result.error_message)
return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))}) return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))})
# @TODO: Redirect to S3 url # @TODO: Redirect to S3 url

4
endpoints/v1/index.py
View file

@ -96,11 +96,15 @@ def create_user():
if kind == CredentialKind.oauth_token: if kind == CredentialKind.oauth_token:
abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token') abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token')
if kind == CredentialKind.user:
# Mark that the login failed. # Mark that the login failed.
event = userevents.get_event(username) event = userevents.get_event(username)
event.publish_event_data('docker-cli', {'action': 'loginfailure'}) event.publish_event_data('docker-cli', {'action': 'loginfailure'})
abort(400, result.error_message, issue='login-failure') abort(400, result.error_message, issue='login-failure')
# Default case: Just fail.
abort(400, result.error_message, issue='login-failure')
if result.has_user: if result.has_user:
# Mark that the user was logged in. # Mark that the user was logged in.
event = userevents.get_event(username) event = userevents.get_event(username)