Change app registry to use the credentials verification system

Allows for tokens, OAuth tokens and robot accounts to be used as well Fixes https://jira.prod.coreos.systems/browse/QS-36
2017-10-27 14:55:49 -04:00 · 2017-10-27 14:55:49 -04:00 · 3bf8973fd9
commit 3bf8973fd9
parent aa49b37ad2
3 changed files with 13 additions and 7 deletions
--- a/auth/credentials.py
+++ b/auth/credentials.py
@ -13,6 +13,7 @@ logger = logging.getLogger(__name__)
 ACCESS_TOKEN_USERNAME = '$token'
 OAUTH_TOKEN_USERNAME = '$oauthtoken'

+
 class CredentialKind(Enum):
  user = 'user'
  robot = 'robot'
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@ -11,6 +11,7 @@ from cnr.exception import (
 from flask import jsonify, request

 from auth.auth_context import get_authenticated_user
+from auth.credentials import validate_credentials
 from auth.decorators import process_auth
 from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
 from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write
@ -56,11 +57,11 @@ def login():
  if not username or not password:
    raise InvalidUsage('Missing username or password')

-  user, err = User.get_user(username, password)
-  if err is not None:
-    raise UnauthorizedAccess(err)
+  result, _ = validate_credentials(username, password)
+  if not result.auth_valid:
+    raise UnauthorizedAccess(result.error_message)

-  return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))})
+  return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))})


 # @TODO: Redirect to S3 url
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@ -96,11 +96,15 @@ def create_user():
    if kind == CredentialKind.oauth_token:
      abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token')

+    if kind == CredentialKind.user:
      # Mark that the login failed.
      event = userevents.get_event(username)
      event.publish_event_data('docker-cli', {'action': 'loginfailure'})
      abort(400, result.error_message, issue='login-failure')

+    # Default case: Just fail.
+    abort(400, result.error_message, issue='login-failure')
+
  if result.has_user:
    # Mark that the user was logged in.
    event = userevents.get_event(username)