Determine which TUF root to show based on actual access, not requested

access
This commit is contained in:
Evan Cordell 2017-03-22 07:38:52 -04:00
parent 7b411b2c25
commit 43dd974dca
5 changed files with 61 additions and 38 deletions

View file

@ -105,7 +105,7 @@ class SecurityScannerAPI(object):
# Generate the JWT which will authorize this
audience = self._app.config['SERVER_HOSTNAME']
context, subject = build_context_and_subject(None, None, None)
context, subject = build_context_and_subject(None, None, None, None)
access = [{
'type': 'repository',
'name': repository_and_namespace,

View file

@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)
ANONYMOUS_SUB = '(anonymous)'
ALGORITHM = 'RS256'
CLAIM_TUF_ROOT = 'com.apostille.root'
# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
# count.
@ -99,14 +100,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
def build_context_and_subject(user, token, oauthtoken):
def build_context_and_subject(user, token, oauthtoken, tuf_root):
""" Builds the custom context field for the JWT signed token and returns it,
along with the subject for the JWT signed token. """
# Serve quay root if not explicitly granted permission to see signer root
if not tuf_root:
tuf_root = 'quay'
if oauthtoken:
context = {
'kind': 'oauth',
'user': user.username,
'oauth': oauthtoken.uuid,
CLAIM_TUF_ROOT: tuf_root,
}
return (context, user.username)
@ -115,6 +122,7 @@ def build_context_and_subject(user, token, oauthtoken):
context = {
'kind': 'user',
'user': user.username,
CLAIM_TUF_ROOT: tuf_root,
}
return (context, user.username)
@ -122,11 +130,13 @@ def build_context_and_subject(user, token, oauthtoken):
context = {
'kind': 'token',
'token': token.code,
CLAIM_TUF_ROOT: tuf_root,
}
return (context, None)
context = {
'kind': 'anonymous',
CLAIM_TUF_ROOT: tuf_root,
}
return (context, ANONYMOUS_SUB)